CD
Cloudflare Developers•2y ago
lokiwind

Listing Firewall Events..

I am listing Cloudflare firewall events. However, instead of writing which rule is in the source section, it says firewallCustom. How can i fix this... My code: https://discord.com/channels/595317990191398933/1114130327351332964 Source eq: Http 1.0 Block Rule... 
{
    "events": [
        {
            "action": "skip",
            "clientAsn": "8075",
            "clientCountryName": "US",
            "clientIP": "52.167.144.131",
            "clientRequestPath": "/robots.txt",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T19:40:40Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36"
        }
    ]
}
{
    "events": [
        {
            "action": "skip",
            "clientAsn": "8075",
            "clientCountryName": "US",
            "clientIP": "52.167.144.131",
            "clientRequestPath": "/robots.txt",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T19:40:40Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36"
        }
    ]
}
20 Replies
Chaika
Chaika•2y ago
source is just the product. You want ruleId or rulesetId I believe
lokiwind
lokiwindOP•2y ago
Yeah, it could be ruleid, it doesn't matter.
Chaika
Chaika•2y ago
what do you mean? Are you saying those fields don't contain the http 1.0 block rule id?
lokiwind
lokiwindOP•2y ago
I want to know which rule the incident belongs to Listing all events for Cloudflare custom rule I would like to know which custom rule these listed events belong to
Chaika
Chaika•2y ago
That's the ruleSetId property
lokiwind
lokiwindOP•2y ago
Hmm so I can't use this feature in firewall events
Chaika
Chaika•2y ago
Chaika
Chaika•2y ago
that rule has a ID for itself (rulesetId), and an ID for each of the specific rules within it (ruleId)
Chaika
Chaika•2y ago
and in events, the ruleId = that
Chaika
Chaika•2y ago
you can filter by it as well
lokiwind
lokiwindOP•2y ago
Ah ok does every custom rule have a ruleset id
Chaika
Chaika•2y ago
err sorry I explained that a bit weirdly, every rule has a ruleId, the rulesetId is the ID for all custom rules in general
Chaika
Chaika•2y ago
(you can filter by either, of course)
lokiwind
lokiwindOP•2y ago
hmm It's too complicated. 😦
Chaika
Chaika•2y ago
If you want to filter for a specific rule, just get the rule id, and filter by ruleId . The ruleSetId is just the same ID for all custom rules within your zone, as I understand it
lokiwind
lokiwindOP•2y ago
https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-magic-firewall-samples/ Isn't it like the use here
Querying Magic Firewall Samples with GraphQL · Cloudflare Analytics...
In this example, we are going to use the GraphQL Analytics API to query for Magic Firewall Samples over a specified time period.
Chaika
Chaika•2y ago
looks like it, yep.
lokiwind
lokiwindOP•2y ago
😘
Chaika
Chaika•2y ago
If it's worth mentioning, that uses groups with sampling, i.e firewallEventsAdaptiveGroups, not firewallEventsAdaptive, and firewallEventsAdaptiveGroups seems to be Pro or higher even without that exact query though, you can just add ruleId to your list of fields in firewallEventsAdaptive and do the grouping/counting yourself, up to a point
lokiwind
lokiwindOP•2y ago
{
    "events": [
        {
            "action": "challenge",
            "clientAsn": "4134",
            "clientCountryName": "CN",
            "clientIP": "124.235.138.30",
            "clientRequestPath": "/",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T21:36:26Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1",
            "ruleId": "f51e15c853554faaa9c0f9165785b0f8"
        }
    ]
}
{
    "events": [
        {
            "action": "challenge",
            "clientAsn": "4134",
            "clientCountryName": "CN",
            "clientIP": "124.235.138.30",
            "clientRequestPath": "/",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T21:36:26Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1",
            "ruleId": "f51e15c853554faaa9c0f9165785b0f8"
        }
    ]
}
Yeah, I got it, thank you, mate. @chaika.me
Want results from more Discord servers?
Add your server