Checking firewall events via API
I want to check firewall events using the api (the ones that appear on the security tab), I am mainly interested in the number of events in a given time, how could I do this and what is the minimum time period I can check?
19 Replies
Its part of the GraphQL API: https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-firewall-events/
Querying Firewall Events with GraphQL · Cloudflare Analytics docs
In this example, we are going to use the GraphQL Analytics API to query for Firewall Events over a specified time period.
Tysm, what is the minimum time period? And how could I see the amount of events on that time period?
I have been experiencing DDoS, and I want to make a script that can check every 10 seconds for example how many events occurred in the last 10 seconds, and if a lot of events occurred, activate UAM automatically for a specific period of time, it would be great to see this as a feature though
Minimum time period - like 1 minute I think? Maximum is 24 hours unless you have Business (72 hours) or Enterprise (30 days)
and it will return the total amount, yes:
Perfect, Tysm
If you have skip rules setup with logging enabled then make sure to filter out the Skip actions or you'll get good traffic mixed up in the total
If youre really sneaky on the dashboard you can look at the browser network log to see what queries it sends
for last 30 minutes of security events excluding Skip it does some complex query like this (replace account and zone tags with your own)
reupload in pretty print
datetime_geq and datetime_leq need adjustment as well as account and zone tagsBut there is more than one datetime thing
yeah
I'm not a GraphQL expert so I don't know why 😄 the queries from the dashboard are scary, you may have better luck making your own if you know what youre doing
I will, thank you for your help
There is a problem
What is the time from a log being made to it showing on the api?
Between 1-3 minutes from my experience
Uhm
That’s not very good
Its not designed to be used as realtime logs 🙂
Is there any way to make it faster?
And what is?
No
You need Business or Enterprise https://developers.cloudflare.com/logs
Instant Logs through a websocket is the most realtime of them all
Cloudflare Logs · Cloudflare Logs docs
These logs are helpful for debugging, identifying configuration adjustments, and creating analytics, especially when combined with logs from other …
Oh :c
Isn’t there any other way without business or enterprise?
No, the only other way to get events is through the GraphQL Analytics API which has a short delay as its not designed for realtime use
But it should be sufficient for responding to threats within a matter of minutes