Threat intelligence

The threat intelligence detection matches incoming requests against indicators in the Cloudforce One threat intelligence database. The detection matches on client IP address. If the IP was involved in threat activity in the past seven days, Cloudflare populates threat intelligence fields you can use in WAF rule expressions.

You can use these fields in custom rules and rate limiting rules to match on:

• Known threat actor names (cf.intel.ip.attacker_names)
• Industries the IP address has targeted (cf.intel.ip.target_industries)
• Source and target countries of threat activity (cf.intel.ip.attacker_countries, cf.intel.ip.target_countries)
• The dataset that flagged the IP address (cf.intel.ip.datasets — values: ddos, waf)

You can review matches in Security Analytics to see which threat actors and campaigns are reaching your application.

Warning

IP addresses are often shared through NAT, proxies, and cloud providers. Test rules with the Log action first and combine threat intelligence with other signals — such as attack score — before you block.

Data freshness

The threat intelligence database reflects a rolling seven-day window:

• An IP address flagged earlier in the window still matches, even if the threat is no longer active.
• An IP address ages out seven days after the last observed activity. Rules that matched it stop matching with no notification.

Availability

Requires an active Cloudforce One subscription. Contact your account team for access.

The WAF must be enabled on your zone before threat intelligence fields can be used in rule expressions.

More resources

• Threat intelligence fields — Available fields and matching behavior.
• Get started — Create your first threat intelligence rule.
• Threat Events — Investigate threats in the Cloudforce One dashboard.