Checking firewall events via API | Cloudflare Developers | Page 1

atomic compass Jan 3, 2024, 12:02 AM

#

I want to check firewall events using the api (the ones that appear on the security tab), I am mainly interested in the number of events in a given time, how could I do this and what is the minimum time period I can check?

tardy elk Jan 3, 2024, 12:04 AM

#

Its part of the GraphQL API: https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-firewall-events/

Querying Firewall Events with GraphQL · Cloudflare Analytics docs

In this example, we are going to use the GraphQL Analytics API to query for Firewall Events over a specified time period.

atomic compass Jan 3, 2024, 12:21 AM

#

tardy elk Its part of the GraphQL API: https://developers.cloudflare.com/analytics/graphql...

Tysm, what is the minimum time period? And how could I see the amount of events on that time period?
I have been experiencing DDoS, and I want to make a script that can check every 10 seconds for example how many events occurred in the last 10 seconds, and if a lot of events occurred, activate UAM automatically for a specific period of time, it would be great to see this as a feature though

tardy elk Jan 3, 2024, 12:25 AM

#

Minimum time period - like 1 minute I think? Maximum is 24 hours unless you have Business (72 hours) or Enterprise (30 days)
and it will return the total amount, yes:

atomic compass Jan 3, 2024, 12:26 AM

#

Perfect, Tysm

tardy elk Jan 3, 2024, 12:27 AM

#

If you have skip rules setup with logging enabled then make sure to filter out the Skip actions or you'll get good traffic mixed up in the total

tardy elk Jan 3, 2024, 12:30 AM

#

atomic compass Perfect, Tysm

If youre really sneaky on the dashboard you can look at the browser network log to see what queries it sends

for last 30 minutes of security events excluding Skip it does some complex query like this (replace account and zone tags with your own)

📎 message.json

#

reupload in pretty print

📎 message.json

#

datetime_geq and datetime_leq need adjustment as well as account and zone tags

atomic compass Jan 3, 2024, 12:33 AM

#

tardy elk reupload in pretty print

But there is more than one datetime thing

tardy elk Jan 3, 2024, 12:34 AM

#

yeah

#

I'm not a GraphQL expert so I don't know why 😄 the queries from the dashboard are scary, you may have better luck making your own if you know what youre doing

atomic compass Jan 3, 2024, 12:39 AM

#

I will, thank you for your help

atomic compass Jan 3, 2024, 3:26 PM

#

There is a problem

#

What is the time from a log being made to it showing on the api?

tardy elk Jan 3, 2024, 3:27 PM

#

Between 1-3 minutes from my experience

atomic compass Jan 3, 2024, 3:32 PM

#

tardy elk Between 1-3 minutes from my experience

Uhm

#

That’s not very good

tardy elk Jan 3, 2024, 3:36 PM

#

Its not designed to be used as realtime logs 🙂

atomic compass Jan 3, 2024, 3:37 PM

#

Is there any way to make it faster?

atomic compass Jan 3, 2024, 3:38 PM

#

tardy elk Its not designed to be used as realtime logs 🙂

And what is?

tardy elk Jan 3, 2024, 3:43 PM

#

atomic compass Is there any way to make it faster?

No

tardy elk Jan 3, 2024, 3:44 PM

#

atomic compass And what is?

You need Business or Enterprise https://developers.cloudflare.com/logs
Instant Logs through a websocket is the most realtime of them all

Cloudflare Logs · Cloudflare Logs docs

These logs are helpful for debugging, identifying configuration adjustments, and creating analytics, especially when combined with logs from other …

atomic compass Jan 3, 2024, 3:45 PM

#

Oh :c

atomic compass Jan 3, 2024, 4:14 PM

#

tardy elk You need Business or Enterprise https://developers.cloudflare.com/logs Instant L...

Isn’t there any other way without business or enterprise?

tardy elk Jan 3, 2024, 4:16 PM

#

No, the only other way to get events is through the GraphQL Analytics API which has a short delay as its not designed for realtime use

#Checking firewall events via API