I am trying to get to the bottom of an issue where some specific Convertri CNAME records in Cloudflare are being repeatedly deleted by an API firing from a specific IP address.
I’ve been screenshotting for days in an attempt to build up a picture but as I went to share it with Cloudflare’s support resources, I stumbled across my Cloudflare audit logs that I’d been told about but hadn’t previously been able to find…
Although most of the audit log info is beyond my technical understanding, from what I can see is that while my CNAME records are being added manually via UI (user interface?); i.e. me/my tech team using my login via LastPass), the records are subsequently being deleted via an API that comes from a single IP address.
How do I trace an IP address to see if I can identify the source of that API?