You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules. A new detection looks up the client IP address of each request against the threat intelligence database. If the IP was involved in threat activity in the past seven days, Cloudflare populates cf.intel.ip.* fields that you can use in custom rules and rate limiting rules.
The detection populates the following fields. Use the any() function with the [*] wildcard to match array values:
cf.intel.ip.datasets— the dataset that flagged the IP address (ddosorwaf).cf.intel.ip.target_industries— industries the IP address has targeted.cf.intel.ip.attacker_names— known threat actors associated with the IP address.cf.intel.ip.attacker_countries— source countries of the threat activity.cf.intel.ip.target_countries— countries the IP address has targeted.
For example, the following custom rule expression blocks requests from IP addresses associated with DDoS activity that have targeted France:
any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")These fields work with the Cloudflare API and Terraform. Matches are logged in Security Analytics.
The threat intelligence detection is available to customers with an active Cloudforce One subscription. For more information, refer to Threat intelligence.
Source: Cloudflare
Latest Posts
- (Updated) Microsoft Teams: Attend Microsoft webinars from Teams Rooms on Android [MC1317839]
- (Updated) Create a line-of-business SharePoint Embedded app on SharePoint admin center [MC1290827]
- Simplified Oracle connectivity in Power BI (Preview)
- AWS DevOps Agent expands with custom SRE agents and MCP/A2A protocols
![Dynamics 365 Sales – Redesigned Opportunity Research helps sellers understand deals and take action faster [MC1391944]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-scottwebb-311458-150x150.webp "Dynamics 365 Sales - Redesigned Opportunity Research helps sellers understand deals and take action faster [MC1391944] 6")