# Threat Events ## Filter and list events **get** `/accounts/{account_id}/cloudforce-one/events` When `datasetId` is unspecified, events will be listed from the `Cloudforce One Threat Events` dataset. To list existing datasets (and their IDs), use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint). Also, must provide query parameters. ### Path Parameters - `account_id: string` Account ID. ### Query Parameters - `cursor: optional string` Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance. - `datasetId: optional array of string` - `forceRefresh: optional boolean` - `format: optional "json" or "stix2"` - `"json"` - `"stix2"` - `order: optional "asc" or "desc"` - `"asc"` - `"desc"` - `orderBy: optional string` - `page: optional number` Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead. - `pageSize: optional number` Number of results per page. Maximum 25,000. - `search: optional array of object { field, op, value }` - `field: optional string` Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid. - `op: optional "equals" or "not" or "gt" or 9 more` Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}. - `"equals"` - `"not"` - `"gt"` - `"gte"` - `"lt"` - `"lte"` - `"like"` - `"contains"` - `"startsWith"` - `"endsWith"` - `"in"` - `"find"` - `value: optional string or number or array of string or number` Search value. String or number for most operators. Array for 'in' operator (max 100 items). - `string` - `number` - `array of string or number` - `string` - `number` ### Returns - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json [ { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ] ``` ## Reads an event **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}` This Method is deprecated. Please use /events/dataset/:dataset_id/events/:event_id instead. ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. ### Returns - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/$EVENT_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates a new event **post** `/accounts/{account_id}/cloudforce-one/events/create` To create a dataset, see the [`Create Dataset`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/create/) endpoint. When `datasetId` parameter is unspecified, it will be created in a default dataset named `Cloudforce One Threat Events`. ### Path Parameters - `account_id: string` Account ID. ### Body Parameters - `category: string` - `date: string` - `event: string` - `raw: object { data, source, tlp }` - `data: map[unknown]` - `source: optional string` - `tlp: optional string` - `tlp: string` - `accountId: optional number` - `attacker: optional string` - `attackerCountry: optional string` - `datasetId: optional string` - `indicator: optional string` - `indicators: optional array of object { indicatorType, value }` Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicatorType: string` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: string` The indicator value (e.g., domain name, IP address, hash) - `indicatorType: optional string` - `insight: optional string` - `tags: optional array of string` - `targetCountry: optional string` - `targetIndustry: optional string` ### Returns - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/create \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "category": "Domain Resolution", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "raw": { "data": { "foo": "bar" } }, "tlp": "amber", "accountId": 123456, "attacker": "Flying Yeti", "attackerCountry": "CN", "datasetId": "durableObjectName", "indicator": "domain.com", "indicatorType": "domain", "insight": "This domain was likely registered for phishing purposes", "targetCountry": "US", "targetIndustry": "Agriculture" }' ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Updates an event **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}` Updates an event ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. ### Body Parameters - `datasetId: string` Dataset ID containing the event to update. - `attacker: optional string` - `attackerCountry: optional string` - `category: optional string` - `createdAt: optional string` - `date: optional string` - `event: optional string` - `indicator: optional string` - `indicatorType: optional string` - `insight: optional string` - `raw: optional object { data, source, tlp }` - `data: optional map[unknown]` - `source: optional string` - `tlp: optional string` - `targetCountry: optional string` - `targetIndustry: optional string` - `tlp: optional string` ### Returns - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/$EVENT_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "datasetId": "9b769969-a211-466c-8ac3-cb91266a066a", "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "createdAt": "2025-12-19T00:00:00Z", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "indicator": "domain2.com", "indicatorType": "domain", "insight": "new insight", "targetCountry": "US", "targetIndustry": "Insurance", "tlp": "amber" }' ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates bulk events **post** `/accounts/{account_id}/cloudforce-one/events/create/bulk` The `datasetId` parameter must be defined. To list existing datasets (and their IDs) in your account, use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint. ### Path Parameters - `account_id: string` Account ID. ### Body Parameters - `data: array of object { category, date, event, 13 more }` - `category: string` - `date: string` - `event: string` - `raw: object { data, source, tlp }` - `data: map[unknown]` - `source: optional string` - `tlp: optional string` - `tlp: string` - `accountId: optional number` - `attacker: optional string` - `attackerCountry: optional string` - `datasetId: optional string` - `indicator: optional string` - `indicators: optional array of object { indicatorType, value }` Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicatorType: string` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: string` The indicator value (e.g., domain name, IP address, hash) - `indicatorType: optional string` - `insight: optional string` - `tags: optional array of string` - `targetCountry: optional string` - `targetIndustry: optional string` - `datasetId: string` - `includeCreatedEvents: optional boolean` When true, response includes array of created event UUIDs and shard IDs. Useful for tracking which events were created and where. ### Returns - `createdEventsCount: number` Number of events created - `createdTagsCount: number` Number of new tags created in SoT - `errorCount: number` Number of errors encountered - `queuedIndicatorsCount: number` Number of indicators queued for async processing - `createBulkEventsRequestId: optional string` Correlation ID for async indicator processing - `createdEvents: optional array of object { eventIndex, shardId, uuid }` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `eventIndex: number` Original index in the input data array - `shardId: string` Dataset ID of the shard where the event was created - `uuid: string` UUID of the created event - `errors: optional array of object { error, eventIndex }` Array of error details - `error: string` Error message - `eventIndex: number` Index of the event that caused the error ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/create/bulk \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "data": [ { "category": "Domain Resolution", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "raw": { "data": { "foo": "bar" } }, "tlp": "amber" } ], "datasetId": "durableObjectName" }' ``` #### Response ```json { "createdEventsCount": 0, "createdTagsCount": 0, "errorCount": 0, "queuedIndicatorsCount": 0, "createBulkEventsRequestId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "createdEvents": [ { "eventIndex": 0, "shardId": "shardId", "uuid": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "errors": [ { "error": "error", "eventIndex": 0 } ] } ``` ## Domain Types ### Threat Event List Response - `ThreatEventListResponse = array of object { attacker, attackerCountry, category, 24 more }` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Threat Event Get Response - `ThreatEventGetResponse = object { attacker, attackerCountry, category, 24 more }` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Threat Event Create Response - `ThreatEventCreateResponse = object { attacker, attackerCountry, category, 24 more }` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Threat Event Edit Response - `ThreatEventEditResponse = object { attacker, attackerCountry, category, 24 more }` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: array of string` - `mitreCapec: array of string` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: array of string` - `referencedIds: array of number` - `references: array of string` - `referencesIds: array of number` - `tags: array of string` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight: optional string` - `releasabilityId: optional string` ### Threat Event Bulk Create Response - `ThreatEventBulkCreateResponse = object { createdEventsCount, createdTagsCount, errorCount, 4 more }` Detailed result of bulk event creation with auto-tag management - `createdEventsCount: number` Number of events created - `createdTagsCount: number` Number of new tags created in SoT - `errorCount: number` Number of errors encountered - `queuedIndicatorsCount: number` Number of indicators queued for async processing - `createBulkEventsRequestId: optional string` Correlation ID for async indicator processing - `createdEvents: optional array of object { eventIndex, shardId, uuid }` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `eventIndex: number` Original index in the input data array - `shardId: string` Dataset ID of the shard where the event was created - `uuid: string` UUID of the created event - `errors: optional array of object { error, eventIndex }` Array of error details - `error: string` Error message - `eventIndex: number` Index of the event that caused the error # Attackers ## Lists attackers across multiple datasets **get** `/accounts/{account_id}/cloudforce-one/events/attackers` Lists attackers across multiple datasets ### Path Parameters - `account_id: string` Account ID. ### Query Parameters - `datasetIds: optional array of string` Array of dataset IDs to query attackers from. If not provided, uses the default dataset. ### Returns - `items: object { type }` - `type: string` - `type: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/attackers \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Attacker List Response - `AttackerListResponse = object { items, type }` - `items: object { type }` - `type: string` - `type: string` # Categories ## Lists categories across multiple datasets **get** `/accounts/{account_id}/cloudforce-one/events/categories` Lists categories across multiple datasets ### Path Parameters - `account_id: string` Account ID. ### Query Parameters - `datasetIds: optional array of string` Array of dataset IDs to query categories from. If not provided, uses the default dataset. ### Returns - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/categories \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json [ { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ] ``` ## Reads a category **get** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Reads a category ### Path Parameters - `account_id: string` Account ID. - `category_id: string` Category UUID. ### Returns - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/categories/$CATEGORY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Creates a new category **post** `/accounts/{account_id}/cloudforce-one/events/categories/create` Creates a new category ### Path Parameters - `account_id: string` Account ID. ### Body Parameters - `killChain: number` - `name: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Returns - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/categories/create \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "killChain": 0, "name": "name", "shortname": "shortname" }' ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Updates a category **patch** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Updates a category ### Path Parameters - `account_id: string` Account ID. - `category_id: string` Category UUID. ### Body Parameters - `killChain: optional number` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `name: optional string` - `shortname: optional string` ### Returns - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/categories/$CATEGORY_ID \ -X PATCH \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Deletes a category **delete** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Deletes a category ### Path Parameters - `account_id: string` Account ID. - `category_id: string` Category UUID. ### Returns - `uuid: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/categories/$CATEGORY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Domain Types ### Category List Response - `CategoryListResponse = array of object { killChain, name, uuid, 3 more }` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Category Get Response - `CategoryGetResponse = object { killChain, name, uuid, 3 more }` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Category Create Response - `CategoryCreateResponse = object { killChain, name, uuid, 3 more }` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Category Edit Response - `CategoryEditResponse = object { killChain, name, uuid, 3 more }` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack: optional array of string` - `mitreCapec: optional array of string` - `shortname: optional string` ### Category Delete Response - `CategoryDeleteResponse = object { uuid }` - `uuid: string` # Countries ## Retrieves countries information for all countries **get** `/accounts/{account_id}/cloudforce-one/events/countries` Retrieves countries information for all countries ### Path Parameters - `account_id: string` Account ID. ### Returns - `result: array of object { alpha3, name }` - `alpha3: string` - `name: string` - `success: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/countries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json [ { "result": [ { "alpha3": "AF", "name": "Afghanistan" } ], "success": "true" } ] ``` ## Domain Types ### Country List Response - `CountryListResponse = array of object { result, success }` - `result: array of object { alpha3, name }` - `alpha3: string` - `name: string` - `success: string` # Crons # Datasets ## Lists all datasets in an account **get** `/accounts/{account_id}/cloudforce-one/events/dataset` Lists all datasets in an account ### Path Parameters - `account_id: string` Account ID. ### Returns - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/dataset \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json [ { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ] ``` ## Reads a dataset **get** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Reads a dataset ### Path Parameters - `account_id: string` Account ID. - `dataset_id: string` Dataset ID. ### Returns - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/dataset/$DATASET_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Creates a dataset **post** `/accounts/{account_id}/cloudforce-one/events/dataset/create` Creates a dataset ### Path Parameters - `account_id: string` Account ID. ### Body Parameters - `isPublic: boolean` If true, then anyone can search the dataset. If false, then its limited to the account. - `name: string` Used to describe the dataset within the account context. ### Returns - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/dataset/create \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "isPublic": true, "name": "x" }' ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Updates an existing dataset **patch** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Updates an existing dataset ### Path Parameters - `account_id: string` Account ID. - `dataset_id: string` Dataset ID. ### Body Parameters - `isPublic: boolean` If true, then anyone can search the dataset. If false, then its limited to the account. - `name: string` Used to describe the dataset within the account context. ### Returns - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/dataset/$DATASET_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "isPublic": true, "name": "x" }' ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Reads raw data for an event by UUID **get** `/accounts/{account_id}/cloudforce-one/events/raw/{dataset_id}/{event_id}` Retrieves the raw data associated with an event. Searches across all shards in the dataset. ### Path Parameters - `account_id: string` Account ID. - `dataset_id: string` Dataset ID. - `event_id: string` Event ID. ### Returns - `id: number` - `accountId: number` - `created: string` - `data: string` - `source: string` - `tlp: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/raw/$DATASET_ID/$EVENT_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "id": 1, "accountId": 1234, "created": "1970-01-01T00:00:00.000Z", "data": "{\"foo\": \"bar\"}", "source": "https://example.com", "tlp": "amber" } ``` ## Domain Types ### Dataset List Response - `DatasetListResponse = array of object { isPublic, name, uuid }` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Get Response - `DatasetGetResponse = object { isPublic, name, uuid }` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Create Response - `DatasetCreateResponse = object { isPublic, name, uuid }` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Edit Response - `DatasetEditResponse = object { isPublic, name, uuid }` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Raw Response - `DatasetRawResponse = object { id, accountId, created, 3 more }` - `id: number` - `accountId: number` - `created: string` - `data: string` - `source: string` - `tlp: string` # Health # Indicator Types ## Lists all indicator types **get** `/accounts/{account_id}/cloudforce-one/events/indicatorTypes` This Method is deprecated. Please use /events/dataset/:dataset_id/indicatorTypes instead. ### Path Parameters - `account_id: string` Account ID. ### Returns - `items: object { type }` - `type: string` - `type: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/indicatorTypes \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Indicator Type List Response - `IndicatorTypeListResponse = object { items, type }` - `items: object { type }` - `type: string` - `type: string` # Raw ## Reads data for a raw event **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Reads data for a raw event ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. - `raw_id: string` Raw Event UUID. ### Returns - `id: string` - `accountId: number` - `created: string` - `data: unknown` - `source: string` - `tlp: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/$EVENT_ID/raw/$RAW_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "id": "1234", "accountId": 1234, "created": "1970-01-01", "data": {}, "source": "https://example.com", "tlp": "amber" } ``` ## Updates a raw event **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Updates a raw event ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. - `raw_id: string` Raw Event UUID. ### Body Parameters - `data: optional unknown` - `source: optional string` - `tlp: optional string` ### Returns - `id: string` - `data: unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/$EVENT_ID/raw/$RAW_ID \ -X PATCH \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "id": "1234", "data": {} } ``` ## Domain Types ### Raw Get Response - `RawGetResponse = object { id, accountId, created, 3 more }` - `id: string` - `accountId: number` - `created: string` - `data: unknown` - `source: string` - `tlp: string` ### Raw Edit Response - `RawEditResponse = object { id, data }` - `id: string` - `data: unknown` # Relate ## Removes an event reference **delete** `/accounts/{account_id}/cloudforce-one/events/relate/{event_id}` Removes an event reference ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. ### Returns - `result: object { success }` - `success: boolean` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/relate/$EVENT_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Relate Delete Response - `RelateDeleteResponse = object { success }` - `success: boolean` # Tags ## Creates a new tag **post** `/accounts/{account_id}/cloudforce-one/events/tags/create` Creates a new tag to be used accross threat events. ### Path Parameters - `account_id: string` Account ID. ### Body Parameters - `value: string` - `activeDuration: optional string` - `actorCategory: optional string` - `aliasGroupNames: optional array of string` - `aliasGroupNamesInternal: optional array of string` - `analyticPriority: optional number` - `attributionConfidence: optional string` - `attributionOrganization: optional string` - `categoryUuid: optional string` - `externalReferenceLinks: optional array of string` - `internalDescription: optional string` - `motive: optional string` - `opsecLevel: optional string` - `originCountryISO: optional string` - `priority: optional number` - `sophisticationLevel: optional string` ### Returns - `uuid: string` - `value: string` - `activeDuration: optional string` - `actorCategory: optional string` - `aliasGroupNames: optional array of string` - `aliasGroupNamesInternal: optional array of string` - `analyticPriority: optional number` - `attributionConfidence: optional string` - `attributionOrganization: optional string` - `categoryName: optional string` - `categoryUuid: optional string` - `externalReferenceLinks: optional array of string` - `internalDescription: optional string` - `motive: optional string` - `opsecLevel: optional string` - `originCountryISO: optional string` - `priority: optional number` - `sophisticationLevel: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/tags/create \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "value": "APT28", "categoryUuid": "12345678-1234-1234-1234-1234567890ab" }' ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab", "value": "APT28", "activeDuration": "activeDuration", "actorCategory": "actorCategory", "aliasGroupNames": [ "string" ], "aliasGroupNamesInternal": [ "string" ], "analyticPriority": 0, "attributionConfidence": "attributionConfidence", "attributionOrganization": "attributionOrganization", "categoryName": "Nation State", "categoryUuid": "12345678-1234-1234-1234-1234567890ab", "externalReferenceLinks": [ "string" ], "internalDescription": "internalDescription", "motive": "motive", "opsecLevel": "opsecLevel", "originCountryISO": "originCountryISO", "priority": 0, "sophisticationLevel": "sophisticationLevel" } ``` ## Domain Types ### Tag Create Response - `TagCreateResponse = object { uuid, value, activeDuration, 15 more }` - `uuid: string` - `value: string` - `activeDuration: optional string` - `actorCategory: optional string` - `aliasGroupNames: optional array of string` - `aliasGroupNamesInternal: optional array of string` - `analyticPriority: optional number` - `attributionConfidence: optional string` - `attributionOrganization: optional string` - `categoryName: optional string` - `categoryUuid: optional string` - `externalReferenceLinks: optional array of string` - `internalDescription: optional string` - `motive: optional string` - `opsecLevel: optional string` - `originCountryISO: optional string` - `priority: optional number` - `sophisticationLevel: optional string` # Event Tags ## Adds a tag to an event **post** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}/create` Adds a tag to an event ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. ### Body Parameters - `tags: array of string` ### Returns - `result: object { success }` - `success: boolean` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/event_tag/$EVENT_ID/create \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "tags": [ "botnet" ] }' ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Removes a tag from an event **delete** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}` Removes a tag from an event ### Path Parameters - `account_id: string` Account ID. - `event_id: string` Event UUID. ### Returns - `result: object { success }` - `success: boolean` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/event_tag/$EVENT_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Event Tag Create Response - `EventTagCreateResponse = object { success }` - `success: boolean` ### Event Tag Delete Response - `EventTagDeleteResponse = object { success }` - `success: boolean` # Target Industries ## Lists target industries across multiple datasets **get** `/accounts/{account_id}/cloudforce-one/events/targetIndustries` Lists target industries across multiple datasets ### Path Parameters - `account_id: string` Account ID. ### Query Parameters - `datasetIds: optional array of string` Array of dataset IDs to query target industries from. If not provided, uses the default dataset. ### Returns - `items: object { type }` - `type: string` - `type: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cloudforce-one/events/targetIndustries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Target Industry List Response - `TargetIndustryListResponse = object { items, type }` - `items: object { type }` - `type: string` - `type: string` # Insights