Firewall events
The descriptions below detail the fields available for firewall_events.
| Field | Value | Type |
|---|---|---|
| Action | The code of the first-class action the Cloudflare Firewall took on this request. Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed. |
string |
| ClientASN | The ASN number of the visitor. | int |
| ClientASNDescription | The ASN of the visitor as string. | string |
| ClientCountry | Country from which request originated. | string |
| ClientIP | The visitor’s IP address (IPv4 or IPv6). | string |
| ClientIPClass | The classification of the visitor’s IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor. | string |
| ClientRefererHost | The referer host. | string |
| ClientRefererPath | The referer path requested by visitor. | string |
| ClientRefererQuery | The referer query-string was requested by the visitor. | string |
| ClientRefererScheme | The referer URL scheme requested by the visitor. | string |
| ClientRequestHost | The HTTP hostname requested by the visitor. | string |
| ClientRequestMethod | The HTTP method used by the visitor. | string |
| ClientRequestPath | The path requested by visitor. | string |
| ClientRequestProtocol | The version of HTTP protocol requested by the visitor. | string |
| ClientRequestQuery | The query-string was requested by the visitor. | string |
| ClientRequestScheme | The URL scheme requested by the visitor. | string |
| ClientRequestUserAgent | Visitor’s user-agent string. | string |
| Datetime | The date and time the event occurred at the edge. | int or string |
| Description | The description of the rule triggered by this request. | string |
| EdgeColoCode | The airport code of the Cloudflare datacenter that served this request. | string |
| EdgeResponseStatus | HTTP response status code returned to browser. | int |
| Kind | The kind of event, currently only possible values are: firewall. | string |
| MatchIndex | Rules match index in the chain. The last matching rule will have MatchIndex 0. If another rule matched before the last one, it will have MatchIndex 1. The same applies to any other matching rules, which will have a MatchIndex value of 2, 3, and so on. | int |
| Metadata | Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time. | object |
| OriginResponseStatus | HTTP origin response status code returned to browser. | int |
| OriginatorRayID | The RayID of the request that issued the challenge/jschallenge. | string |
| RayID | The RayID of the request. | string |
| Ref | The user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the Rulesets API for some security products. | string |
| RuleID | The Cloudflare security product-specific RuleID triggered by this request. | string |
| Source | The Cloudflare security product triggered by this request. Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom. |
string |