Skip to content

Custom Indicator Feeds

Cloudflare’s threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the HTTP/2 Rapid Reset attack. However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users.

With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations.

Publicly available feeds

Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship.

NameDescriptionAvailability
Treasury Early Indicator FeedThreat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team.Approved financial services organizations
UK NCSC Public Threat IndicatorsRecursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware.All users

Get started

Cloudflare threat intelligence data consists of a data exchange between providers and subscribers.

A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.

Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the Grant permission to indicator feed endpoint.

If your organization is interested in becoming a provider or a subscriber, contact your account team.

Create a Custom Indicator Feed

Providers can create and manage a Custom Indicator Feed with the Custom Indicator Feeds API endpoints:

  1. Contact your account team to configure your account as an indicator feed provider.

  2. Create a feed with the Create new indicator feed endpoint. Make note of the feed_id generated for your feed. For example:

    Create new indicator feed
    curl "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds" \
    --header 'Content-Type: application/json' \
    --header 'X-Auth-Email: <EMAIL>' \
    --header 'X-Auth-Key: <API_KEY>' \
    --data '{
    "description": "Custom indicator feed to detect threats",
    "name": "threat_indicator_feed"
    }'
    {
    "result": {
    "id": 10,
    "name": "threat_indicator_feed",
    "description": "Custom indicator feed to detect threats",
    "created_on": "2024-09-17T21:16:09.412Z",
    "modified_on": "2024-09-17T21:16:09.412Z"
    },
    "success": true,
    "errors": [],
    "messages": []
    }
  3. Upload data to the feed with the Update indicator feed data endpoint. Uploaded indicator data must be in a .stix2 formatted file.

    Update indicator feed data
    curl --request PUT \
    "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \
    --header 'Content-Type: multipart/form-data' \
    --header 'X-Auth-Email: <EMAIL>' \
    --header 'X-Auth-Key: <API_KEY>' \
    --form 'source=@/path/to/file'
    {
    "result": {
    "file_id": 1,
    "filename": "snapshot_file.unified",
    "status": "unified"
    },
    "errors": [],
    "messages": [],
    "success": true
    }
  4. (Optional) Verify the status of your feed upload with the Get indicator feed data endpoint. For example:

    Get indicator feed data
    curl --request GET \
    "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/data" \
    --header 'Content-Type: application/json' \
    --header 'X-Auth-Email: <EMAIL>' \
    --header 'X-Auth-Key: <API_KEY>'
    {
    "result": {
    "id": 10,
    "name": "threat_indicator_feed",
    "description": "Custom indicator feed to detect threats",
    "created_on": "2023-08-01T18:00:26.65715Z",
    "modified_on": "2023-08-01T18:00:26.65715Z",
    "latest_upload_status": "Complete"
    },
    "success": true,
    "errors": [],
    "messages": []
    }
  5. Grant access to subscribers with the Grant permission to indicator feed endpoint. You can add subscribers to the feed’s allowed subscribers list using their account IDs. For example:

    Update indicator feed data
    curl --request PUT \
    "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \
    --header 'Content-Type: multipart/form-data' \
    --header 'X-Auth-Email: <EMAIL>' \
    --header 'X-Auth-Key: <API_KEY>' \
    --data '{
    "account_tag": "823f45f16fd2f7e21e1e054aga4d2859",
    "feed_id": 10
    }'

Use a feed in Gateway

Once an account is granted access to a feed, it will be available to match traffic as a selector in Gateway DNS policies.

  1. In Zero Trust, go to Gateway > Firewall Policies. Select DNS.

  2. To create a new DNS policy, select Add a policy.

  3. Name your policy.

  4. In Traffic, add a condition with the Indicator Feeds selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in Value. For example, you can block sites that appear in a feed:

    SelectorOperatorValueAction
    Indicator FeedsinThreat Intel FeedBlock
  5. Select Create policy.

For more information on creating Gateway policies, refer to DNS policies.