I’d consider checking the details by clicking on each of the Security Events to determine from which ASN the attacks are comming.
Therefrom, would create a list and block the whole ASN them at Security → WAF → Tools → IP Access Rules.
Have you got any other Custom Rules for WAF as well active for protection?
How about other settings such as Browser Integrity Check, Bot Fight Mode, etc.?
If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare:
Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:
You’re on HTTP? I’d reconsider this and make sure I am using HTTPS.