Get started

Before you begin

• Your account must have an active Cloudforce One subscription. Contact your account team for access.
• The WAF must be enabled on your zone.

1. Create a rule from Threat Events

The fastest way to create a threat intelligence rule is from a saved view in the Threat Events dashboard. Filter the threats you care about, then export the filters directly to a WAF rule.

1. In the Threat Events dashboard, build a saved view with the filters you want to act on (for example, IPs targeting the financial sector in the last seven days).

2. Export the saved view to a WAF rule. Cloudflare generates a custom rule expression that matches the saved view filters.

3. Review the generated rule. Set the action to Log to validate matches before enforcing.

4. Deploy the rule.

2. Review matches in Security Analytics

Once the rule is deployed, matches appear in Security Analytics. You can see the threat event details — including threat actors, target industries, and countries — directly in the analytics view.

1. In the Cloudflare dashboard, go to the Analytics page.

   Go to Analytics

2. Review the threat intelligence matches. Use the threat event details to decide which categories of traffic to block or challenge.

If no matches appear after deploying the rule, contact your account team to verify your Cloudforce One subscription is active.

3. Switch to Block or Managed Challenge

Once you are confident in the match patterns, update the rule action from Log to Block or Managed Challenge.

For more examples, refer to Example rules. For the full field list, refer to Threat intelligence fields.

4. (Alternative) Create a rule manually

If you prefer to write expressions directly, you can create a rule from the dashboard or the API.

Dashboard

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.

2. Go to Security > Security rules.

3. Select Create rule > Custom rules.

4. Enter a rule name.

5. Select Edit expression and enter an expression using threat intelligence fields. For example:

   any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")

6. Set the action to Log to validate matches before enforcing.

7. Select Deploy.

API

Threat intelligence fields work with the Cloudflare API and the Terraform provider ↗. To create a custom rule via the API, refer to Create a custom rule via API.

Use the following expression to match IP addresses associated with DDoS activity targeting France:

any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")

Set the action to log to validate matches before enforcing.