This tutorial explains how to fetch firewall (security) events in Cloudflare. In simple words, we will explore how to extract information about users blocked by different WAF rules.
You need an API key and a zone ID to authenticate and use the API. You can follow the instructions below to get API Key and Zone ID.
Instructions : You can find your API key in the Cloudflare dashboard by clicking on profile icon (top-right) > My Profile > API Tokens. Either you can use global API key or you can create a custom API token with specific permissions. The Zone ID is available on the Overview page of your site in Cloudflare.
The code fetches firewall events from Cloudflare's GraphQL API for the last 24 hours. It sends a request using the requests library with authentication headers and gets the response in JSON format. Then we convert this JSON format to pandas dataframe. Later we save it in Excel file.
import requests
from datetime import datetime, timedelta, timezone
import pandas as pd
from tzlocal import get_localzone
end_hour = datetime.now(timezone.utc)
start_hour = end_hour - timedelta(hours=24)
# Format with explicit UTC designation
def iso_format(dt):
return dt.strftime("%Y-%m-%dT%H:%M:%SZ")
# Define the Cloudflare API credentials
API_KEY = "xxxxxxxxxxxxx"
ZONE_ID = "xxxxxxxxxxxxx"
API_EMAIL = "xxxxxxxx@xxxx.com"
# Set up headers
headers = {
"X-Auth-Email": API_EMAIL,
"X-Auth-Key": API_KEY,
"Content-Type": "application/json"
}
# GraphQL query
query = """
query ListFirewallEvents($zoneTag: String, $filter: FirewallEventsAdaptiveFilter_InputObject) {
viewer {
zones(filter: { zoneTag: $zoneTag }) {
firewallEventsAdaptive(
filter: $filter
limit: 1000
orderBy: [datetime_DESC]
) {
action
clientAsn
clientCountryName
clientIP
clientRequestPath
clientRequestQuery
datetime
source
userAgent
}
}
}
}
"""
# Create request body
payload = {
"query": query,
"variables": {
"zoneTag": ZONE_ID,
"filter": {
"datetime_geq": iso_format(start_hour),
"datetime_leq": iso_format(end_hour)
}
}
}
# Make API request
response = requests.post(
url="https://api.cloudflare.com/client/v4/graphql",
headers=headers,
json=payload
)
# Process response
if response.status_code > 200:
raise Exception(f"Error: {response.status_code}, {response.text}")
data = response.json()
http_requests = data['data']['viewer']['zones'][0]['firewallEventsAdaptive']
# Convert the data into a pandas DataFrame
df = pd.json_normalize(http_requests)
df['datetime'] = pd.to_datetime(df['datetime']).dt.tz_localize(None)
local_timezone = get_localzone()
df['datetime'] = df['datetime'].dt.tz_localize('UTC').dt.tz_convert(local_timezone).dt.tz_localize(None)
df = df.sort_values(by='datetime', ascending=False)
# Write the DataFrame to an Excel file
df.to_excel('firewall_events.xlsx', index=False)
Deepanshu founded ListenData with a simple objective - Make analytics easy to understand and follow. He has over 10 years of experience in data science. During his tenure, he worked with global clients in various domains like Banking, Insurance, Private Equity, Telecom and HR.
Share Share Tweet