Custom Indicator Feeds
Cloudflare’s threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the HTTP/2 Rapid Reset attack ↗. However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users.
With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations.
Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship.
| Name | Description | Availability |
|---|---|---|
| Treasury Early Indicator Feed ↗ | Threat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team. | Approved financial services organizations |
| UK NCSC Public Threat Indicators ↗ | Recursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware. | All users |
Cloudflare threat intelligence data consists of a data exchange between providers and subscribers.
A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.
Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the Indicator Feeds permissions endpoint.
If your organization is interested in becoming a provider or a subscriber, contact your account team.
Providers can create and manage a Custom Indicator Feed with the Indicator API endpoints:
- Create a feed with the Create new indicator feed endpoint. Feeds are lists of indicators.
- Upload data to the feed with the Update indicator feed data endpoint. Uploaded indicator data must be in a
.stix2↗ formatted file. - Grant access to subscribers with the Grant permission to indicator feed endpoint. Any administrator of the account that owns the feed must add subscribers’
account_tags to the feed’s allowed subscribers list.
Once an account is granted access to a feed, it will be available to match traffic as a selector in Gateway DNS policies.
-
In Zero Trust ↗, go to Gateway > Firewall Policies. Select DNS.
-
To create a new DNS policy, select Add a policy.
-
Name your policy.
-
In Traffic, add a condition with the Indicator Feeds selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in Value. For example, you can block sites that appear in a feed:
Selector Operator Value Action Indicator Feeds in Threat Intel Feed Block -
Select Create policy.
For more information on creating Gateway policies, refer to DNS policies.