Overview
In the simplest terms, there are providers and subscribers of our threat intelligence data.
A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.
Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the Indicator Feeds permissions endpoint.
If your organization has interest in becoming a provider or a subscriber, contact your account team, who will help facilitate the required authorization.
Get started
Managing a Custom Indicator Feed is only available using the Indicator API endpoints.
The first thing a provider needs to do is create a feed. Feeds are lists of indicators and can be created using the Create new indicator feed endpoint.
After a feed is created, you can upload data to it. Uploading data to a feed is done through the
SnapshotsAPI endpoint. They are called snapshots because if a provider needs to update their feed with new data, they must upload a file containing all previous and new indicators.
- Finally, in order to grant access to a subscriber, any administrator of the account that owns the feed must add the subscribers
account_tagto the feeds allowed subscribers list. This can be done using thepermissionsAPI endpoint.
Use a feed in Gateway
Once an account is granted access to a feed, it will be available as a selectable item in Gateway.
- In Zero Trust, go to Gateway > Firewall Policies. Select DNS.
- To create a new DNS policy, select Add a policy.
- Name your policy, add a Traffic Condition, and select Indicator Feeds from the Selector dropdown.
If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in the Value dropdown.
