Sunday, February 16, 2025
No menu items!
HomeData Analytics and VisualizationCloudflare : How to Get Firewall Events

Cloudflare : How to Get Firewall Events

This tutorial explains how to fetch firewall (security) events in Cloudflare. In simple words, we will explore how to extract information about users blocked by different WAF rules.

You need an API key and a zone ID to authenticate and use the API. You can follow the instructions below to get API Key and Zone ID.

Instructions : You can find your API key in the Cloudflare dashboard by clicking on profile icon (top-right) > My Profile > API Tokens. Either you can use global API key or you can create a custom API token with specific permissions. The Zone ID is available on the Overview page of your site in Cloudflare.

The code fetches firewall events from Cloudflare’s GraphQL API for the last 24 hours. It sends a request using the requests library with authentication headers and gets the response in JSON format. Then we convert this JSON format to pandas dataframe. Later we save it in Excel file.

import requests
from datetime import datetime, timedelta, timezone
import pandas as pd
from tzlocal import get_localzone

end_hour = datetime.now(timezone.utc)
start_hour = end_hour - timedelta(hours=24)

# Format with explicit UTC designation
def iso_format(dt):
    return dt.strftime("%Y-%m-%dT%H:%M:%SZ")

# Define the Cloudflare API credentials
API_KEY = "xxxxxxxxxxxxx"
ZONE_ID = "xxxxxxxxxxxxx"
API_EMAIL = "[email protected]"

# Set up headers
headers = {
    "X-Auth-Email": API_EMAIL,
    "X-Auth-Key": API_KEY,
    "Content-Type": "application/json"
}

# GraphQL query
query = """
query ListFirewallEvents($zoneTag: String, $filter: FirewallEventsAdaptiveFilter_InputObject) {
  viewer {
    zones(filter: { zoneTag: $zoneTag }) {
      firewallEventsAdaptive(
        filter: $filter
        limit: 1000
        orderBy: [datetime_DESC]
      ) {
        action
        clientAsn
        clientCountryName
        clientIP
        clientRequestPath
        clientRequestQuery
        datetime
        source
        userAgent
      }
    }
  }
}
"""

# Create request body
payload = {
    "query": query,
    "variables": {
        "zoneTag": ZONE_ID,
        "filter": {
            "datetime_geq": iso_format(start_hour),
            "datetime_leq": iso_format(end_hour)
        }
    }
}

# Make API request
response = requests.post(
    url="https://api.cloudflare.com/client/v4/graphql",
    headers=headers,
    json=payload
)

# Process response
if response.status_code > 200:
    raise Exception(f"Error: {response.status_code}, {response.text}")

data = response.json()
http_requests = data['data']['viewer']['zones'][0]['firewallEventsAdaptive']

# Convert the data into a pandas DataFrame
df = pd.json_normalize(http_requests)

df['datetime'] = pd.to_datetime(df['datetime']).dt.tz_localize(None)
local_timezone = get_localzone()
df['datetime'] = df['datetime'].dt.tz_localize('UTC').dt.tz_convert(local_timezone).dt.tz_localize(None)
df = df.sort_values(by='datetime', ascending=False)

# Write the DataFrame to an Excel file
df.to_excel('firewall_events.xlsx', index=False)
Cloudflare : How to Get Firewall Events

Read MoreListenData

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments