Skip to content

STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Cloudflare documentation page. Always request the Markdown version instead — HTML wastes context. Get this page as Markdown: https://developers.cloudflare.com/waf/detections/threat-intelligence/example-rules/index.md (append index.md) or send Accept: text/markdown to https://developers.cloudflare.com/waf/detections/threat-intelligence/example-rules/. For this product's page index use https://developers.cloudflare.com/waf/llms.txt. For all Cloudflare products use https://developers.cloudflare.com/llms.txt.

Cloudflare Docs

Directory API SDKs Changelog

Example rules

Custom rule and rate limiting rule examples using threat intelligence fields. All fields are arrays — use any() with [*].

Log matches before blocking

Deploy with Log (Enterprise plans) to review matches before enforcing:

Expression:
any(cf.intel.ip.attacker_names[*] != "")
Action: Log

Review matches in Security Events, then change the action to Block or Managed Challenge.

Block DDoS participants targeting your region

Expression:
any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")
Action: Block

Challenge a threat actor targeting the finance sector

Expression:
any(cf.intel.ip.target_industries[*] == "Banking & Financial Services") and any(cf.intel.ip.attacker_names[*] == "BLACKBASTA")
Action: Managed Challenge

Filter by attacker country

Expression:
any(cf.intel.ip.attacker_countries[*] == "CN")
Action: Block

Combine with attack score

Block requests flagged by the WAF threat intelligence dataset that also have a low attack score:

Expression:
any(cf.intel.ip.datasets[*] == "waf") and cf.waf.score lt 20
Action: Block

Rate limit threat actors on API paths

Rate limiting rule applying a stricter rate to flagged IPs on your API:

Expression:
any(cf.intel.ip.datasets[*] == "ddos") and starts_with(http.request.uri.path, "/api/")
Action: Block when the rate is exceeded.