Threat intelligence fields

The threat intelligence detection populates the following fields when the client IP address is found in the threat intelligence database. If the IP address is not found, the fields are empty.

All fields are arrays. Use the any() function with the [*] wildcard to match values.

Note

These five fields are available in rule expressions. Security Analytics logs only the dataset and threat event identifiers for each match. You can view the threat event details — including attacker names, industries, and countries — directly in Security Analytics.

Field	Description
Threat intelligence datasets cf.intel.ip.datasets Array<String>	Dataset that flagged the IP address. Values: ddos, waf.
Target industries cf.intel.ip.target_industries Array<String>	Industries this IP address has targeted. Refer to target industries for valid values.
Attacker names cf.intel.ip.attacker_names Array<String>	Threat actor names associated with this IP address (for example, CONVOLUTEDKRILL).
Attacker countries cf.intel.ip.attacker_countries Array<String>	Source countries of the threat activity, as ISO 3166-1 Alpha 2 ↗ codes.
Target countries cf.intel.ip.target_countries Array<String>	Countries this IP address has targeted, as ISO 3166-1 Alpha 2 ↗ codes.

Case sensitivity

Values are case-sensitive. Use the casing shown in the examples: ddos (lowercase), FR (uppercase country codes), Banking & Financial Services (title case), BLACKBASTA (uppercase attacker names).

To discover valid values for your traffic, use the Threat Events dashboard.

Matching behavior

Fields reflect all threat activity for an IP address over the past seven days, flattened into a single set of values per field.

A value in one field does not have to come from the same threat event as a value in another field. For example, this expression matches if the IP has any China-origin activity and any banking-targeted activity — even from separate events:

any(cf.intel.ip.attacker_countries[*] == "CN") and any(cf.intel.ip.target_industries[*] == "Banking & Financial Services")

Combining fields across dimensions produces broader matches than you might expect. Test combined rules with the Log action first.

Target industries

The cf.intel.ip.target_industries field uses a fixed set of industry names. Examples:

• Automotive
• Banking & Financial Services
• Cryptocurrency
• Telecommunications

For the complete list, refer to Threat Events.