Cloudflare Docs
Analytics
Cloudflare Docs
Analytics
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. Analytics
  3. ...
  4. Tutorials
  5. Querying Magic Firewall Intrusion Detection System (IDS) samples with GraphQL

Querying Magic Firewall Intrusion Detection System (IDS) samples with GraphQL

In this example, we are going to use the GraphQL Analytics API to query for IDS samples over a specified time period.

The following API call will request IDS samples over a one hour period, and output the requested fields. Be sure to replace <CLOUDFLARE_ACCOUNT_ID>, <CLOUDFLARE_EMAIL>, and <CLOUDFLARE_API_KEY> with your account tag and API credentials, and adjust the datetime_geg and datetime_leq values to your liking.

​​ API Call

echo '{ "query":
  "query IDSActivity {
    viewer {
      accounts(filter: { accountTag: $accountTag }) {
        magicIDPSNetworkAnalyticsAdaptiveGroups(
          filter: $filter
          limit: 10
        ) {
          sum {
            bits
            packets
          }
          dimensions {
            datetimeFiveMinutes
          }
        }
      }
    }
  }",
  "variables": {
    "accountTag": "<CLOUDFLARE_ACCOUNT_ID>",
    "filter": {
      "datetime_geq": "2023-06-20T11:00:00.000Z",
      "datetime_leq": "2023-06-20T12:00:00.000Z",
      "verdict": "drop",
      "outcome": "pass"
    }
  }
}' | tr -d '\n' | curl \
  -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Email: <CLOUDFLARE_EMAIL>" \
  -H "X-Auth-key: <CLOUDFLARE_API_KEY>" \
  -s \
  -d @- \
  https://api.cloudflare.com/client/v4/graphql/

The returned values represent the total number of packets and bits that matched IDS rules during the five minute interval. The result will be in JSON (as requested), so piping the output to jq will make it easier to read, like in the following example:

... | curl \
  -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Email: CLOUDFLARE_EMAIL" \
  -H "X-Auth-key: CLOUDFLARE_API_KEY" \
  -s \
  -d @- \
  https://api.cloudflare.com/client/v4/graphql/ | jq .

#=> {

#=>   "data": {

#=>     "viewer": {

#=>       "accounts": [

#=>         {

#=>           "magicIDPSNetworkAnalyticsAdaptiveGroups": [

#=>             {

#=>               sum: { bits:  327680, packets: 16384 },

#=>               dimensions: {

#=>                 datetimeFiveMinute: '2021-05-12T22:00-00:00'

#=>               }

#=>             },

#=>             {

#=>               sum: { bits:  360448, packets: 8192 },

#=>               dimensions: {

#=>                 datetimeFiveMinute: '2021-05-12T22:05-00:00'

#=>               }

#=>             },

#=>             {

#=>               sum: { bits:  327680, packets: 8192 },

#=>               dimensions: {

#=>                 datetimeFiveMinute: '2021-05-12T22:05-00:00'

#=>               }

#=>             },

#=>             {

#=>               sum: { bits:  360448, packets: 8192 },

#=>               dimensions: {

#=>                 datetimeFiveMinute: '2021-05-12T22:20-00:00'

#=>               }

#=>             },

#=>             {

#=>               sum: { bits:  327680, packets: 8192 },

#=>               dimensions: {

#=>                 datetimeFiveMinute: '2021-05-12T22:20-00:00'

#=>               }

#=>             }

#=>           ]

#=>         }

#=>       ]

#=>     }

#=>   },

#=>   "errors": null

#=> }