events_indicators
Creates, updates, deletes, gets or lists an events_indicators resource.
Overview
| Name | events_indicators |
| Type | Resource |
| Id | cloudflare.cloudforce_one.events_indicators |
Fields
The following fields are returned by SELECT queries:
- list_by_account
Returns a paginated list of indicators.
| Name | Datatype | Description |
|---|---|---|
properties | object | |
type | string |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_by_account | select | account_id | datasetIds, page, pageSize, search, name, indicatorType, relatedEvents, tags, createdAfter, createdBefore, relatedEventsLimit, includeTags, includeTotalCount, format | Retrieves a paginated list of indicators across specified datasets. Use datasetIds=all or datasetIds=* to query all datasets for the account. If no datasetIds provided, uses the default dataset. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
createdAfter | string (date-time) | Filter indicators created on or after this date. Must use ISO 8601 format (e.g., '2024-01-15T00:00:00Z'). |
createdBefore | string (date-time) | Filter indicators created on or before this date. Must use ISO 8601 format (e.g., '2024-12-31T23:59:59Z'). |
datasetIds | array | Dataset IDs to query indicators from (array of UUIDs), or special value 'all' or '*' to query all datasets. If not provided, uses the default dataset. |
format | string | Output format for indicator data. 'json' returns the default format, 'stix2' returns STIX 2.1 Indicator SDOs. |
includeTags | boolean | Whether to include full tag details for each indicator. Defaults to true. |
includeTotalCount | boolean | Whether to compute accurate total count via COUNT(*). Defaults to false for performance. When false, total_count is an approximation. |
indicatorType | string | |
name | string | Filter indicators by value using substring match (LIKE). Legacy alternative to structured search. |
page | number | |
pageSize | number | |
relatedEvents | array | Filter by related event IDs |
relatedEventsLimit | number | Limit the number of related events returned per indicator. Default: 2. Set to 0 for none, -1 for all events. |
search | array | Structured search as a JSON array of {field, op, value} objects. Searchable fields: value, indicatorType. Supports operators: equals, not, contains, startsWith, endsWith, gt, lt, gte, lte, like, in, find. Use the 'in' operator with an array value to bulk-check up to 100 indicators in a single request, e.g. search=[{"field":"value","op":"in","value":["evil.com","bad.org"]}]. Multiple conditions are AND'd together. Max 10 conditions per request. |
tags | array | Filter by tag values or UUIDs. Indicators must have at least one of the specified tags (OR logic). Supports both tag UUID and tag value. |
SELECT examples
- list_by_account
Retrieves a paginated list of indicators across specified datasets. Use datasetIds=all or datasetIds=* to query all datasets for the account. If no datasetIds provided, uses the default dataset.
SELECT
properties,
type
FROM cloudflare.cloudforce_one.events_indicators
WHERE account_id = '{{ account_id }}' -- required
AND datasetIds = '{{ datasetIds }}'
AND page = '{{ page }}'
AND pageSize = '{{ pageSize }}'
AND search = '{{ search }}'
AND name = '{{ name }}'
AND indicatorType = '{{ indicatorType }}'
AND relatedEvents = '{{ relatedEvents }}'
AND tags = '{{ tags }}'
AND createdAfter = '{{ createdAfter }}'
AND createdBefore = '{{ createdBefore }}'
AND relatedEventsLimit = '{{ relatedEventsLimit }}'
AND includeTags = '{{ includeTags }}'
AND includeTotalCount = '{{ includeTotalCount }}'
AND format = '{{ format }}'
;