## Filter and list events `cloudforce_one.threat_events.list(ThreatEventListParams**kwargs) -> ThreatEventListResponse` **get** `/accounts/{account_id}/cloudforce-one/events` When `datasetId` is unspecified, events will be listed from the `Cloudforce One Threat Events` dataset. To list existing datasets (and their IDs), use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint). Also, must provide query parameters. ### Parameters - `account_id: str` Account ID. - `cursor: Optional[str]` Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance. - `dataset_id: Optional[SequenceNotStr[str]]` - `force_refresh: Optional[bool]` - `format: Optional[Literal["json", "stix2"]]` - `"json"` - `"stix2"` - `order: Optional[Literal["asc", "desc"]]` - `"asc"` - `"desc"` - `order_by: Optional[str]` - `page: Optional[float]` Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead. - `page_size: Optional[float]` Number of results per page. Maximum 25,000. - `search: Optional[Iterable[Search]]` - `field: Optional[str]` Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid. - `op: Optional[Literal["equals", "not", "gt", 9 more]]` Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}. - `"equals"` - `"not"` - `"gt"` - `"gte"` - `"lt"` - `"lte"` - `"like"` - `"contains"` - `"startsWith"` - `"endsWith"` - `"in"` - `"find"` - `value: Optional[Union[str, float, SequenceNotStr[Union[str, float]]]]` Search value. String or number for most operators. Array for 'in' operator (max 100 items). - `str` - `float` - `SequenceNotStr[Union[str, float]]` - `str` - `float` ### Returns - `List[ThreatEventListResponseItem]` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) threat_events = client.cloudforce_one.threat_events.list( account_id="account_id", ) print(threat_events) ``` #### Response ```json [ { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ] ```