firewall_events
Analytics resource
This is a time-bounded analytics resource. Queries against it differ from typical CRUD resources in a few ways:
sinceanduntilare required. Both are RFC3339 timestamps and define the analytics window (e.g.since = '2026-05-28T00:00:00Z',until = '2026-05-29T00:00:00Z'). Queries without them will fail.- Row cap via
limit. Thelimitparameter (default100) bounds the response. Widen the time window or raiselimitto return more rows. - Token scope. Cloudflare's analytics endpoints require an API token with Account -> Analytics -> Read permission, which is broader than typical zone-scoped tokens. A token without it will return empty results.
Creates, updates, deletes, gets or lists a firewall_events resource.
Overview
| Name | firewall_events |
| Type | Resource |
| Id | cloudflare.firewall.firewall_events |
Fields
The following fields are returned by SELECT queries:
- list
Response
| Name | Datatype | Description |
|---|---|---|
rule_id | string | Product-specific rule ID. |
ruleset_id | string | Product-specific ruleset ID. |
client_country_name | string | ISO-3166 alpha-2 country code. |
client_request_http_method_name | string | |
edge_colo_name | string | IATA code of the Cloudflare colo that served the request. |
ray_name | string | Cloudflare Ray ID. |
action | string | First-class action (block / challenge / allow / log / etc.). |
client_asn | integer | Visitor ASN. |
client_asn_description | string | Visitor ASN description. |
client_ip | string | Visitor IP (v4 or v6). |
client_request_http_host | string | |
client_request_path | string | |
datetime | string (date-time) | Event timestamp (RFC3339). |
edge_response_status | integer | |
origin_response_status | integer | |
ref | string | User-defined rule ref tag. |
source | string | Security product that fired (waf / firewallrules / ratelimit / etc.). |
user_agent | string |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list | select | zone_tag, since, until | limit | Raw firewall event stream for a zone. One row per event with attacker context (IP, ASN, country) and rule context (action, source, ruleId). Use for incident drill-down rather than rollups. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
since | string (date-time) | Lower bound (inclusive) of the time range. RFC3339. |
until | string (date-time) | Upper bound (exclusive) of the time range. RFC3339. |
zone_tag | string | Cloudflare zone ID (the 32-char hex tag). |
limit | integer | Maximum number of events to return per call. |
SELECT examples
- list
Raw firewall event stream for a zone. One row per event with attacker context (IP, ASN, country) and rule context (action, source, ruleId). Use for incident drill-down rather than rollups.
SELECT
rule_id,
ruleset_id,
client_country_name,
client_request_http_method_name,
edge_colo_name,
ray_name,
action,
client_asn,
client_asn_description,
client_ip,
client_request_http_host,
client_request_path,
datetime,
edge_response_status,
origin_response_status,
ref,
source,
user_agent
FROM cloudflare.firewall.firewall_events
WHERE zone_tag = '{{ zone_tag }}' -- required
AND since = '{{ since }}' -- required
AND until = '{{ until }}' -- required
AND limit = '{{ limit }}'
;