firewall_events_adaptive_groups
This is a time-bounded analytics resource. Queries against it differ from typical CRUD resources in a few ways:
sinceanduntilare required. Both are RFC3339 timestamps and define the analytics window (e.g.since = '2026-05-28T00:00:00Z',until = '2026-05-29T00:00:00Z'). Queries without them will fail.- Row cap via
limit. Thelimitparameter (default100) bounds the response. Widen the time window or raiselimitto return more rows. - Token scope. Cloudflare's analytics endpoints require an API token with Account -> Analytics -> Read permission, which is broader than typical zone-scoped tokens. A token without it will return empty results.
Creates, updates, deletes, gets or lists a firewall_events_adaptive_groups resource.
Overview
| Name | firewall_events_adaptive_groups |
| Type | Resource |
| Id | cloudflare.firewall.firewall_events_adaptive_groups |
Fields
The following fields are returned by SELECT queries:
- list
Response
| Name | Datatype | Description |
|---|---|---|
rule_id | string | Product-specific rule ID triggered by this event. |
ruleset_id | string | Product-specific ruleset ID triggered by this event. |
client_country_name | string | ISO-3166 alpha-2 country code derived from client IP. |
action | string | First-class action taken by the firewall (block, challenge, jschallenge, log, allow, etc.). |
client_asn_description | string | Visitor ASN as a string (e.g. AS15169 Google LLC). |
client_ip | string | Visitor IP address (IPv4 or IPv6). |
client_request_http_host | string | Hostname component of the client request. |
client_request_path | string | Path component of the client request. |
datetime | string (date-time) | Minute-bucketed timestamp (RFC3339). |
edge_response_status | integer | HTTP status returned to the client. |
events | integer | Number of firewall events contributing to this dimension tuple. |
source | string | Cloudflare security product that triggered the event (waf, firewallrules, ratelimit, etc.). |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list | select | zone_tag, since, until | limit | Firewall event analytics for a zone, with adaptive sampling, grouped by action / source / rule / country / status. Each row aggregates the count of firewall events for one dimension tuple over the requested time window. Useful for surfacing top blocking rules, top blocked countries, top targeted paths. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
since | string (date-time) | Lower bound (inclusive) of the time range. RFC3339 (e.g. 2026-05-29T00:00:00Z). |
until | string (date-time) | Upper bound (exclusive) of the time range. RFC3339. |
zone_tag | string | Cloudflare zone ID (the 32-char hex tag). |
limit | integer | Maximum number of dimension-tuple rows to return per call. |
SELECT examples
- list
Firewall event analytics for a zone, with adaptive sampling, grouped by action / source / rule / country / status. Each row aggregates the count of firewall events for one dimension tuple over the requested time window. Useful for surfacing top blocking rules, top blocked countries, top targeted paths.
SELECT
rule_id,
ruleset_id,
client_country_name,
action,
client_asn_description,
client_ip,
client_request_http_host,
client_request_path,
datetime,
edge_response_status,
events,
source
FROM cloudflare.firewall.firewall_events_adaptive_groups
WHERE zone_tag = '{{ zone_tag }}' -- required
AND since = '{{ since }}' -- required
AND until = '{{ until }}' -- required
AND limit = '{{ limit }}'
;