Cloudflare : How to Get Firewall Events

Deepanshu Bhalla Add Comment

This tutorial explains how to fetch firewall (security) events in Cloudflare. In simple words, we will explore how to extract information about users blocked by different WAF rules.

You need an API key and a zone ID to authenticate and use the API. You can follow the instructions below to get API Key and Zone ID.

Instructions : You can find your API key in the Cloudflare dashboard by clicking on profile icon (top-right) > My Profile > API Tokens. Either you can use global API key or you can create a custom API token with specific permissions. The Zone ID is available on the Overview page of your site in Cloudflare.

The code fetches firewall events from Cloudflare's GraphQL API for the last 24 hours. It sends a request using the requests library with authentication headers and gets the response in JSON format. Then we convert this JSON format to pandas dataframe. Later we save it in Excel file.

import requests
from datetime import datetime, timedelta, timezone
import pandas as pd
from tzlocal import get_localzone

end_hour = datetime.now(timezone.utc)
start_hour = end_hour - timedelta(hours=24)

# Format with explicit UTC designation
def iso_format(dt):
    return dt.strftime("%Y-%m-%dT%H:%M:%SZ")

# Define the Cloudflare API credentials
API_KEY = "xxxxxxxxxxxxx"
ZONE_ID = "xxxxxxxxxxxxx"
API_EMAIL = "xxxxxxxx@xxxx.com"

# Set up headers
headers = {
    "X-Auth-Email": API_EMAIL,
    "X-Auth-Key": API_KEY,
    "Content-Type": "application/json"
}

# GraphQL query
query = """
query ListFirewallEvents($zoneTag: String, $filter: FirewallEventsAdaptiveFilter_InputObject) {
  viewer {
    zones(filter: { zoneTag: $zoneTag }) {
      firewallEventsAdaptive(
        filter: $filter
        limit: 1000
        orderBy: [datetime_DESC]
      ) {
        action
        clientAsn
        clientCountryName
        clientIP
        clientRequestPath
        clientRequestQuery
        datetime
        source
        userAgent
      }
    }
  }
}
"""

# Create request body
payload = {
    "query": query,
    "variables": {
        "zoneTag": ZONE_ID,
        "filter": {
            "datetime_geq": iso_format(start_hour),
            "datetime_leq": iso_format(end_hour)
        }
    }
}

# Make API request
response = requests.post(
    url="https://api.cloudflare.com/client/v4/graphql",
    headers=headers,
    json=payload
)

# Process response
if response.status_code > 200:
    raise Exception(f"Error: {response.status_code}, {response.text}")

data = response.json()
http_requests = data['data']['viewer']['zones'][0]['firewallEventsAdaptive']

# Convert the data into a pandas DataFrame
df = pd.json_normalize(http_requests)

df['datetime'] = pd.to_datetime(df['datetime']).dt.tz_localize(None)
local_timezone = get_localzone()
df['datetime'] = df['datetime'].dt.tz_localize('UTC').dt.tz_convert(local_timezone).dt.tz_localize(None)
df = df.sort_values(by='datetime', ascending=False)

# Write the DataFrame to an Excel file
df.to_excel('firewall_events.xlsx', index=False)
Cloudflare : How to Get Firewall Events
Related Posts
Spread the Word!
Share
About Author:
Deepanshu Bhalla

Deepanshu founded ListenData with a simple objective - Make analytics easy to understand and follow. He has over 10 years of experience in data science. During his tenure, he worked with global clients in various domains like Banking, Insurance, Private Equity, Telecom and HR.

Post Comment 0 Response to "Cloudflare : How to Get Firewall Events"
Next → ← Prev