Custom Indicator Feeds
Cloudflare’s threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the HTTP/2 Rapid Reset attack ↗. However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users.
With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations.
Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship.
| Name | Description | Availability |
|---|---|---|
| Treasury Early Indicator Feed ↗ | Threat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team. | Approved financial services organizations |
| UK NCSC Public Threat Indicators ↗ | Recursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware. | All users |
Cloudflare threat intelligence data consists of a data exchange between providers and subscribers.
A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.
Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the Grant permission to indicator feed endpoint.
If your organization is interested in becoming a provider or a subscriber, contact your account team.
Providers can create and manage a Custom Indicator Feed with the Custom Indicator Feeds API endpoints:
-
Contact your account team to configure your account as an indicator feed provider.
-
Create a feed with the Create new indicator feed endpoint. Make note of the
feed_idgenerated for your feed. For example:Create new indicator feed curl "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds" \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--data '{"description": "Custom indicator feed to detect threats","name": "threat_indicator_feed"}'{"result": {"id": 10,"name": "threat_indicator_feed","description": "Custom indicator feed to detect threats","created_on": "2024-09-17T21:16:09.412Z","modified_on": "2024-09-17T21:16:09.412Z"},"success": true,"errors": [],"messages": []} -
Upload data to the feed with the Update indicator feed data endpoint. Uploaded indicator data must be in a
.stix2↗ formatted file.Update indicator feed data curl --request PUT \"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \--header 'Content-Type: multipart/form-data' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--form 'source=@/path/to/file'{"result": {"file_id": 1,"filename": "snapshot_file.unified","status": "unified"},"errors": [],"messages": [],"success": true} -
(Optional) Verify the status of your feed upload with the Get indicator feed data endpoint. For example:
Get indicator feed data curl --request GET \"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/data" \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>'{"result": {"id": 10,"name": "threat_indicator_feed","description": "Custom indicator feed to detect threats","created_on": "2023-08-01T18:00:26.65715Z","modified_on": "2023-08-01T18:00:26.65715Z","latest_upload_status": "Complete"},"success": true,"errors": [],"messages": []} -
Grant access to subscribers with the Grant permission to indicator feed endpoint. You can add subscribers to the feed’s allowed subscribers list using their account IDs. For example:
Update indicator feed data curl --request PUT \"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \--header 'Content-Type: multipart/form-data' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--data '{"account_tag": "823f45f16fd2f7e21e1e054aga4d2859","feed_id": 10}'
Once an account is granted access to a feed, it will be available to match traffic as a selector in Gateway DNS policies.
-
In Zero Trust ↗, go to Gateway > Firewall Policies. Select DNS.
-
To create a new DNS policy, select Add a policy.
-
Name your policy.
-
In Traffic, add a condition with the Indicator Feeds selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in Value. For example, you can block sites that appear in a feed:
Selector Operator Value Action Indicator Feeds in Threat Intel Feed Block -
Select Create policy.
For more information on creating Gateway policies, refer to DNS policies.