Querying Firewall Events with GraphQL
In this example, we are going to use the GraphQL Analytics API to query for Firewall Events over a specified time period.
The following API call will request Firewall Events over a one hour period, and output the requested fields. Be sure to replace CLOUDFLARE_ZONE_ID
, CLOUDFLARE_EMAIL
, and CLOUDFLARE_API_KEY
with your zone tag and API credentials, and adjust the datetime_geg
and datetime_leq
values to your liking.
API Call
echo '{ "query":"query ListFirewallEvents($zoneTag: string, $filter: FirewallEventsAdaptiveFilter_InputObject) {viewer {zones(filter: { zoneTag: $zoneTag }) {firewallEventsAdaptive(filter: $filterlimit: 10orderBy: [datetime_DESC]) {actionclientAsnclientCountryNameclientIPclientRequestPathclientRequestQuerydatetimesourceuserAgent}}}}","variables": {"zoneTag": "CLOUDFLARE_ZONE_ID","filter": {"datetime_geq": "2022-07-24T11:00:00Z","datetime_leq": "2022-07-24T12:00:00Z"}}}' | tr -d '\n' | curl \-X POST \-H "Content-Type: application/json" \-H "X-Auth-Email: CLOUDFLARE_EMAIL" \-H "X-Auth-key: CLOUDFLARE_API_KEY" \-s \-d @- \https://api.cloudflare.com/client/v4/graphql/
The results returned will be in JSON (as requested), so piping the output to jq
will make them easier to read, for example:
... | curl \-X POST \-H "Content-Type: application/json" \-H "X-Auth-Email: CLOUDFLARE_EMAIL" \-H "X-Auth-key: CLOUDFLARE_API_KEY" \-s \-d @- \https://api.cloudflare.com/client/v4/graphql/ | jq .#=> {#=> "data": {#=> "viewer": {#=> "zones": [#=> {#=> "firewallEventsAdaptive": [#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "block",#=> "clientAsn": "5089",#=> "clientCountryName": "GB",#=> "clientIP": "203.0.113.69",#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:11:24Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "58224",#=> "clientCountryName": "IR",#=> "clientIP": "2.183.175.37",#=> "clientRequestPath": "/api/v2",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:00:54Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"#=> },#=> {#=> "action": "log",#=> "clientAsn": "58224",#=> "clientCountryName": "IR",#=> "clientIP": "2.183.175.37",#=> "clientRequestPath": "/api/v2",#=> "clientRequestQuery": "",#=> "datetime": "2020-04-24T10:00:54Z",#=> "source": "waf",#=> "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"#=> }#=> ]#=> }#=> ]#=> }#=> },#=> "errors": null#=> }