GraphQL Analytics
Use the GraphQL Analytics API to review data for Magic Firewall network traffic related to rules matching your traffic. This contains both rules you configured in the Magic Firewall dashboard, and the rules managed by Cloudflare as a part of Magic Firewall Managed rules and Magic Firewall IDS features.
Before you begin, you must have an API token. For additional help getting started with GraphQL Analytics, refer to GraphQL Analytics API.
To construct a Magic Firewall GraphQL query for an object, you will need a Cloudflare Account ID
- Log in to the Cloudflare dashboard ↗, and select your account.
- The URL in your browser's address bar should show https://dash.cloudflare.com/followed by a hex string. The hex string is your Cloudflare Account ID.
To construct queries to gather analytics for a particular rule, you need the rule ID for each firewall rule.
- 
In the Cloudflare dashboard, go to the Magic Firewall page. Go to Magic Firewall
- 
In the Custom rules tab, locate the rule you need the rule ID for from the list and select the three dots > Edit. 
- 
Locate the Rule ID and select the copy button. 
- 
Select Cancel to return to the Magic Firewall page. 
In this section, you will run a test query to retrieve a five minute count of all configured Magic Firewall rules within five minute intervals. You can copy and paste the code below into GraphiQL.
For additional information about the Analytics schema, refer to Explore the Analytics schema with GraphiQL.
query MagicFirewallExample($accountTag: string!, $start: Time, $end: Time) {  viewer {    accounts(filter: { accountTag: $accountTag }) {      magicFirewallSamplesAdaptiveGroups(        filter: { datetime_geq: $start, datetime_leq: $end }        limit: 2        orderBy: [datetimeFiveMinute_DESC]      ) {        sum {          bits          packets        }        dimensions {          datetimeFiveMinute          ruleId        }      }    }  }}Use the example below to display the total number of packets and bits for the top ten suspected malicious traffic streams within the last hour. After receiving the results, you can sort by packet rates with a five minute average.
For each stream, display the:
- Source and destination IP addresses
- Ingress Cloudflare data centers that received it
- Total traffic volume in bits and packets received within the hour
- Actions taken by the firewall rule
query MagicFirewallObtainRules(  $accountId: string!  $ruleId: string  $start: Time  $end: Time) {  viewer {    accounts(filter: { accountTag: $accountId }) {      magicFirewallNetworkAnalyticsAdaptiveGroups(        filter: { ruleId: $ruleId, datetime_geq: $start, datetime_leq: $end }        limit: 10        orderBy: [avg_packetRateFiveMinutes_DESC]      ) {        sum {          bits          packets        }        dimensions {          coloCity          ipDestinationAddress          ipSourceAddress          outcome        }      }    }  }}Use the example below to display the total number of packets and bits for the top 10 traffic streams that Magic Firewall IDS has detected in the last hour.
By setting verdict to drop and outcome as pass, we are filtering for traffic that was marked as a detection (i.e. verdict was drop) but was not dropped (for example, outcome was pass). This is because currently, Magic Firewall IDS only detects malicious traffic but does not drop the traffic.
For each stream, display the:
- Source and destination IP addresses.
- Ingress Cloudflare data centers that received it.
- Total traffic volume in bits and packets received within the hour.
query MagicFirewallObtainIDS($accountTag: string!, $start: Time, $end: Time) {  viewer {    accounts(filter: { accountTag: $accountTag }) {      magicIDPSNetworkAnalyticsAdaptiveGroups(        filter: {          datetime_geq: $start          datetime_leq: $end          verdict: drop          outcome: pass        }        limit: 10        orderBy: [avg_packetRateFiveMinutes_DESC]      ) {        sum {          bits          packets        }        dimensions {          coloCity          ipDestinationAddress          ipSourceAddress        }      }    }  }}Alternatively, to inspect all traffic that was analyzed, but grouped into malicious traffic and other traffic, the example below can be used. The response will contain two entries for each five minute timestamp. verdict will be set to drop for malicious traffic, and verdict will be set to pass for traffic that did not match any of the IDS rules.
query MagicFirewallTraffic($accountTag: string!, $start: Time, $end: Time) {  viewer {    accounts(filter: { accountTag: $accountTag }) {      magicIDPSNetworkAnalyticsAdaptiveGroups(        filter: { datetime_geq: $start, datetime_leq: $end }        limit: 10        orderBy: [avg_packetRateFiveMinutes_DESC]      ) {        sum {          bits          packets        }        dimensions {          coloCity          ipDestinationAddress          ipSourceAddress          verdict        }      }    }  }}Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark