This tutorial explains how to fetch firewall (security) events in Cloudflare. In simple words, we will explore how to extract information about users blocked by different WAF rules.
You need an API key and a zone ID to authenticate and use the API. You can follow the instructions below to get API Key and Zone ID.
Instructions : You can find your API key in the Cloudflare dashboard by clicking on profile icon (top-right) > My Profile > API Tokens. Either you can use global API key or you can create a custom API token with specific permissions. The Zone ID is available on the Overview page of your site in Cloudflare.
The code fetches firewall events from Cloudflare’s GraphQL API for the last 24 hours. It sends a request using the requests library with authentication headers and gets the response in JSON format. Then we convert this JSON format to pandas dataframe. Later we save it in Excel file.
import requests from datetime import datetime, timedelta, timezone import pandas as pd from tzlocal import get_localzone end_hour = datetime.now(timezone.utc) start_hour = end_hour - timedelta(hours=24) # Format with explicit UTC designation def iso_format(dt): return dt.strftime("%Y-%m-%dT%H:%M:%SZ") # Define the Cloudflare API credentials API_KEY = "xxxxxxxxxxxxx" ZONE_ID = "xxxxxxxxxxxxx" API_EMAIL = "[email protected]" # Set up headers headers = { "X-Auth-Email": API_EMAIL, "X-Auth-Key": API_KEY, "Content-Type": "application/json" } # GraphQL query query = """ query ListFirewallEvents($zoneTag: String, $filter: FirewallEventsAdaptiveFilter_InputObject) { viewer { zones(filter: { zoneTag: $zoneTag }) { firewallEventsAdaptive( filter: $filter limit: 1000 orderBy: [datetime_DESC] ) { action clientAsn clientCountryName clientIP clientRequestPath clientRequestQuery datetime source userAgent } } } } """ # Create request body payload = { "query": query, "variables": { "zoneTag": ZONE_ID, "filter": { "datetime_geq": iso_format(start_hour), "datetime_leq": iso_format(end_hour) } } } # Make API request response = requests.post( url="https://api.cloudflare.com/client/v4/graphql", headers=headers, json=payload ) # Process response if response.status_code > 200: raise Exception(f"Error: {response.status_code}, {response.text}") data = response.json() http_requests = data['data']['viewer']['zones'][0]['firewallEventsAdaptive'] # Convert the data into a pandas DataFrame df = pd.json_normalize(http_requests) df['datetime'] = pd.to_datetime(df['datetime']).dt.tz_localize(None) local_timezone = get_localzone() df['datetime'] = df['datetime'].dt.tz_localize('UTC').dt.tz_convert(local_timezone).dt.tz_localize(None) df = df.sort_values(by='datetime', ascending=False) # Write the DataFrame to an Excel file df.to_excel('firewall_events.xlsx', index=False)
Read MoreListenData