Content security rule violations

Note

Only available to Enterprise customers with a paid add-on.

Shortly after you configure content security rules, the Cloudflare dashboard will start displaying any violations of those rules. This information will be available for rules with any action (Allow and Log).

Information about rule violations is also available via GraphQL API and Logpush.

Review rule violations in the dashboard

To view rule violation information:

New dashboard

1. In the Cloudflare dashboard, go to the Security rules page.

   Go to Security rules

2. (Optional) Filter by Content security rules.

Old dashboard

• In the Cloudflare dashboard, go to Security > Client-side security > Rules.

The displayed information includes the following:

• A sparkline next to the rule name, showing violations in the past seven days.
• For content security rules with associated violations, an expandable details section for each rule, with the top resources present in violation events and a sparkline per top resource.

Get rule violations via GraphQL API

Use the Cloudflare GraphQL API to obtain rule violation information through the following dataset:

• pageShieldReportsAdaptiveGroups

You can query the dataset for rule violations occurred in the past 30 days.

Use introspection to explore the available fields the GraphQL schema. For more information, refer to Explore the GraphQL schema.

For an introduction to GraphQL querying, refer to Querying basics.

Example

Example GraphQL query

query PageShieldReports(
  $zoneTag: string
  $datetimeStart: Time
  $datetimeEnd: Time
) {
  viewer {
    zones(filter: { zoneTag: $zoneTag }) {
      pageShieldReportsAdaptiveGroups(
        limit: 100
        orderBy: [datetime_ASC]
        filter: { datetime_geq: $datetimeStart, datetime_leq: $datetimeEnd }
      ) {
        avg {
          sampleInterval
        }
        count
        dimensions {
          policyID
          datetime
          datetimeMinute
          datetimeFiveMinutes
          datetimeFifteenMinutes
          datetimeHalfOfHour
          datetimeHour
          url
          urlHost
          host
          resourceType
          pageURL
          action
        }
      }
    }
  }
}

Run in GraphQL API Explorer

Example curl request

echo '{ "query":
  "query PageShieldReports($zoneTag: string, $datetimeStart: string, $datetimeEnd: string) {
    viewer {
      zones(filter: {zoneTag: $zoneTag}) {
        pageShieldReportsAdaptiveGroups(limit: 100,  orderBy: [datetime_ASC], filter: {datetime_geq:$datetimeStart, datetime_leq:$datetimeEnd}) {
          avg {
            sampleInterval
          }
          count
          dimensions {
            policyID
            datetime
            datetimeMinute
            datetimeFiveMinutes
            datetimeFifteenMinutes
            datetimeHalfOfHour
            datetimeHour
            url
            urlHost
            host
            resourceType
            pageURL
            action
          }
        }
      }
    }
  }",
  "variables": {
    "zoneTag": "<CLOUDFLARE_ZONE_ID>",
    "datetimeStart": "2023-04-17T11:00:00Z",
    "datetimeEnd": "2023-04-24T12:00:00Z"
  }
}' | tr -d '\n' | curl --silent \
https://api.cloudflare.com/client/v4/graphql \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--header "Content-Type: application/json" \
--data @-

Get rule violations via Logpush

Cloudflare Logpush supports pushing logs to storage services, SIEM systems, and log management providers.

Information about rule violations is available in the page_shield_events dataset.

For more information on configuring Logpush jobs, refer to Logpush documentation.