GraphQL Firewall Events available fields

Here’s a list of GraphQL API Firewall Events - available fields

To make a query: https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-firewall-events

Currently, each query may contain up to 30 fields.

AVAILABLE ON ALL PLANS:

# starts a comment, so it’s OK to copy and paste the lines here for testing on a GraphiQL/curl query

Request Info:

clientASNDescription # The ASN name
clientAsn # The ASN number
clientCountryName # country code [T1=Tor, XX=unknown]
clientIP # The visitor's IP address (IPv4 or IPv6)
clientRefererScheme # The referer url scheme: http | https
clientRefererHost # The referer host
clientRefererPath # The referer path
clientRefererQuery # The referer query-string
clientRequestScheme # The url scheme: http | https
clientRequestHTTPHost # The HTTP hostname
clientRequestPath # The path
clientRequestQuery # The query-string
clientRequestHTTPMethodName # The HTTP method: GET | PUT | HEAD etc.
clientRequestHTTPProtocol # The version of HTTP protocol: 1.0 | 1.1 | 1.2 | 1.3 etc.
userAgent # visitor's user-agent string

Cloudflare Info

edgeColoName # The airport code of the Cloudflare datacenter that served this request
edgeResponseStatus # HTTP response status code returned to browser.
originResponseStatus # HTTP origin response status. Currently returns 0
kind # The kind of event, currently only possible value is "firewall"
matchIndex # Rules match index in the chain (seems to always return 0)
# metadata [ZoneFirewallEventsAdaptiveMetadataElem!] # Additional product-specific information. Metadata is organized in key #value pairs. Note: I don't know how to use this field.
originatorRayName # It seems that unless a challenge/jschallenge is passed, this will be either 00 or the same as rayName
rayName # The RayId of the request
sampleInterval # ABR sample interval

Date Info

date # The date the event occurred at the edge, format: 2022-02-14
datetime # The date and time the event occurred at the edge, ex.: 2022-02-14T14:23:33Z
datetimeFifteenMinutes # The date and time the event occurred at the edge truncated to a multiple of 15 minutes, ex.: 2022-02-14T14:15:00Z
datetimeFiveMinutes # The date and time the event occurred at the edge truncated to a multiple of 5 minutes, ex: 2022-02-14T14:20:00Z
datetimeHour # The date and time the event occurred at the edge truncated to hours, ex.: 2022-02-14T14:00:00Z
datetimeMinute # The date and time the event occurred at the edge truncated to the minute, ex.: 2022-02-14T14:23:00Z

Firewall Info:

action # block, allow, js_challenge, managed_challenge
clientIPClass # The classification of the visitor's IP address. 
# Possible values: unknown | clean | badHost | searchEngine | 
# allowlist | greylist | monitoringService | securityScanner | 
# noRecord | scan | backupService | mobilePlatform | tor
ref # The ref-field is a user-defined rule identifier that can be set via the API for some firewall products and allows users to label their rules individually alongside cloudflare provided identifiers (only available to entitled customers)
ruleId # The Cloudflare security product-specific RuleId triggered by this request
rulesetId # The Cloudflare security product-specific RulesetId triggered by this request
source # The Cloudflare security product triggered by this request: firewallrules | waf | bic etc.

ENTERPRISE PLAN ONLY:

botScore # 1 is a bot, 99 is very likely a human
botScoreSrcName # Heuristics | Machine Learning | Verified Bot etc.
ja3Hash # MD5 hash of the JA3 TLS fingerprint
5 Likes

I spent some time searching here and there to find a specific field I wanted to add to my firewall logs, so I thought I’d make a list. It’s a wiki post, so please edit/expand it out as needed. Cheers!

4 Likes