Cloudflare Firewall Events
Ingests Cloudflare firewall and WAF events using the GraphQL Analytics API. This input collects security events from the firewallEventsAdaptive dataset, including blocked requests, challenges, and other firewall actions taken on traffic to your zones.
Sync Type: Incremental
Requirements
- A Cloudflare account with access to the Analytics API
- An API Token with the
Account Analytics:Readpermission - Your Cloudflare Zone ID
Data Retention by Plan
Cloudflare retains firewall event data based on your plan:
| Plan | Data Retention |
|---|---|
| Free | 24 hours |
| Pro | 3 days |
| Business | 3-30 days |
| Enterprise | 30-90 days |
The input automatically detects your plan's retention limits and adjusts queries accordingly.
Creating an API Token
- Log in to your Cloudflare dashboard
- Navigate to My Profile > API Tokens
- Click Create Token
- Use the Create Custom Token option
- Configure the token:
- Token name: Give it a descriptive name (e.g., "Monad Firewall Events")
- Permissions: Add
Account>Account Analytics>Read - Zone Resources: Select the specific zone(s) or "All zones"
- Click Continue to summary and then Create Token
- Copy the token value (you won't be able to see it again)
Finding Your Zone ID
- Log in to your Cloudflare dashboard
- Select the domain/zone you want to monitor
- The Zone ID is displayed in the right sidebar on the overview page
- It's a 32-character alphanumeric string
Details
- State Management: Uses timestamp-based incremental sync with rayName as secondary sort key. Monad stores the last processed event timestamp to fetch only new events on subsequent runs.
- API Endpoint: GraphQL Analytics API (
/graphql) - Dataset:
firewallEventsAdaptive - Pagination: Filter-based pagination using
datetime_geqandrayName_gt(the API does not support cursor pagination) - Rate Limits: 300 requests per 5 minutes (1 request per second). The input automatically enforces this limit.
- Adaptive Sampling: During high-traffic periods, Cloudflare may apply sampling to this dataset. Not all events may be returned during very high volume periods.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
zone_id | string | Yes | Cloudflare Zone ID (32-character alphanumeric string) |
include_bot_fields | boolean | No | Include botScore and botScoreSrcName fields. Requires Enterprise plan with Bot Management add-on. Leave disabled unless you have Bot Management enabled. Default: false |
lookback_duration | string | No | Initial lookback duration for first sync (e.g., 24h, 7d). Must not exceed your plan's data retention limit. Default: Uses plan's maximum retention |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
api_token | string | Yes | API Token with Account Analytics:Read permission |
Rate Limits
| Limit | Value | Notes |
|---|---|---|
| Requests per 5 minutes | 300 | GraphQL Analytics API limit |
| Max records per query | Plan-dependent | Discovered automatically via Settings API |
Source: Cloudflare GraphQL Analytics API Limits
Troubleshooting
Common Issues
Issue: GraphQL error with authentication message
Cause: The API token is invalid, expired, or lacks the required permissions.
Solution: Verify your API token is correct and has the Account Analytics:Read permission. Create a new token if needed.
Issue: Zone ID is required validation error
Cause: The Zone ID field was left empty.
Solution: Enter your Cloudflare Zone ID in the settings. You can find this in your Cloudflare dashboard under the zone's overview page.
Issue: invalid settings response error
Cause: The Zone ID is incorrect or the API token doesn't have access to that zone.
Solution: Verify the Zone ID is correct and that your API token has permissions for that specific zone.
Issue: No data returned despite having firewall events Cause: The lookback duration may exceed your plan's data retention, or there may be no events in the time range. Solution: Check your plan's data retention limits. Free plans only retain 24 hours of data.
Issue: botScore or botScoreSrcName fields missing
Cause: Bot Management fields require Enterprise plan with Bot Management add-on.
Solution: Disable the include_bot_fields setting unless you have Bot Management enabled on your account.
Issue: Events appear to be missing during high traffic Cause: Cloudflare applies adaptive sampling to this dataset during high-volume periods. Solution: This is expected behavior. The dataset is designed for monitoring and analysis, not exact event counting.
Related Articles
- Cloudflare GraphQL Analytics API
- Querying Firewall Events with GraphQL
- Cloudflare API Tokens
- GraphQL Analytics API Limits
- Bot Management
Sample Record
{
"action": "block",
"datetime": "2024-01-15T10:30:45Z",
"clientIP": "203.0.113.42",
"clientAsn": "7922",
"clientASNDescription": "Comcast Cable Communications",
"clientCountryName": "United States",
"clientRequestHTTPHost": "api.example.com",
"clientRequestPath": "/api/v1/users",
"clientRequestHTTPMethodName": "POST",
"edgeColoName": "SFO",
"edgeResponseStatus": 403,
"ruleId": "waf",
"rulesetId": "",
"source": "waf",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"rayName": "8f7e6d5c4b3a2190",
"description": ""
}