Cloudflare Docs
Security Center
Edit this page on GitHub
Set theme to dark (⇧+D)

Overview

In the simplest terms, there are providers and subscribers of our threat intelligence data.

A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.

Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the Indicator Feeds permissions endpoint.

If your organization has interest in becoming a provider or a subscriber, please reach out to your account team, who will help facilitate the required authorization.

​​ Get started

Managing a Custom Indicator Feed is only available using the Indicator API endpoints.

  1. The first thing a provider needs to do is create a feed. Feeds are lists of indicators and can be created using the Create new indicator feed endpoint.

  2. After a feed is created, you can upload data to it. Uploading data to a feed is done through the Snapshots API endpoint. They are called snapshots because if a provider needs to update their feed with new data, they must upload a file containing all previous and new indicators.

  1. Finally, in order to grant access to a subscriber, any administrator of the account that owns the feed must add the subscribers account_tag to the feeds allowed subscribers list. This can be done using the permissions API endpoint.

​​ Use a feed in Gateway

Once an account is granted access to a feed, it will be available as a selectable item in Gateway.

  1. In Zero Trust, go to Gateway > Firewall Policies. Select DNS.
  2. To create a new DNS policy, select Add a policy.
  3. Name your policy, add a Traffic Condition, and select Indicator Feeds from the Selector dropdown.

If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in the Value dropdown.

Example of creating a Gateway DNS policy rule with Custom Indicator Feeds