API Reference

Cloudforce One

Threat Events

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Filter and list events

cloudforce_one.threat_events.list(ThreatEventListParams**kwargs) -> ThreatEventListResponse

GET/accounts/{account_id}/cloudforce-one/events

When datasetId is unspecified, events will be listed from the Cloudforce One Threat Events dataset. To list existing datasets (and their IDs), use the List Datasets endpoint). Also, must provide query parameters.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

Accepted Permissions (at least one required)

Cloudforce One WriteCloudforce One Read

ParametersExpand Collapse

account_id: str

Account ID.

cursor: Optional[str]

Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance.

dataset_id: Optional[SequenceNotStr[str]]

force_refresh: Optional[bool]

format: Optional[Literal["json", "stix2"]]

One of the following:

"json"

"stix2"

order: Optional[Literal["asc", "desc"]]

One of the following:

"asc"

"desc"

order_by: Optional[str]

page: Optional[float]

Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead.

page_size: Optional[float]

Number of results per page. Maximum 25,000.

search: Optional[Iterable[Search]]

field: Optional[str]

Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid.

op: Optional[Literal["equals", "not", "gt", 9 more]]

Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}.

One of the following:

"equals"

"not"

"gt"

"gte"

"lt"

"lte"

"like"

"contains"

"startsWith"

"endsWith"

"in"

"find"

value: Optional[Union[str, float, SequenceNotStr[Union[str, float]]]]

Search value. String or number for most operators. Array for 'in' operator (max 100 items).

One of the following:

str

float

SequenceNotStr[Union[str, float]]

One of the following:

str

float

ReturnsExpand Collapse

List[ThreatEventListResponseItem]

attacker: str

attacker_country: str

category: str

dataset_id: str

date: str

event: str

has_children: bool

indicator: str

indicator_type: str

indicator_type_id: float

kill_chain: float

mitre_attack: List[str]

mitre_capec: List[str]

num_referenced: float

num_references: float

raw_id: str

referenced: List[str]

referenced_ids: List[float]

references: List[str]

references_ids: List[float]

tags: List[str]

target_country: str

target_industry: str

tlp: str

uuid: str

insight: Optional[str]

releasability_id: Optional[str]

Filter and list events

Python

HTTP

TypeScript

Python

Go

Terraform

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
threat_events = client.cloudforce_one.threat_events.list(
    account_id="account_id",
)
print(threat_events)

200 example

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]

Returns Examples

200 example

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]