Cloudflare’s Threat Events provides security analysts with a window into the global threat landscape. The platform offers a peek into the immense traffic that Cloudflare processes every day, so you can see in real time which IPs are attacking specific industries or which threat actors are trending globally. However, translating that visibility into active mitigation has often been a manual, reactive process.
Security teams have faced a recurring frustration: knowing that certain IP addresses were associated with specific threat actors (like Tycoon 2FA or RaccoonO365 ) or had been seen targeting their specific industry in other regions, but they couldn't easily automate the blocking of these high-risk IPs within their own WAF unless they manually configured the rules.
We are excited to announce a new integration that brings Cloudflare’s vast threat intelligence directly into your WAF engine: you can now write proactive rules using live intelligence data . This means you can add more intelligence context to protect your application against known bad actors — before they even attempt to touch your infrastructure. By populating specialized fields during the early stages of a request, the WAF can now screen traffic based on: Who is attacking by matching specific threat actor names Who they are targeting via the industry or country filters to see who the IP has targeted in the past What type of attack using enriched threat context, filtering by attack type (DDoS, WAF, cybercrime, etc.)
and the timeframe it was last seen Always-on detection This new capability is built on the same always-on detection framework we recently introduced for Attack Signature Detection, a system that identifies common attack patterns in real time without requiring pre-configured rules. By separating detection from mitigation, we ensure that threat intelligence is constantly running in the background, enriching your HTTP request analytics with insightful threat metadata before you even decide to take an action.
The primary advantage of an "always-on" model is the elimination of the traditional "log vs. block" trade-off: visibility in log mode, or protection in block mode. That’s because when a rule blocks a request, you lose visibility into how other signatures would have assessed it — insight that could have helped you strengthen your defenses.
If you have a Cloudforce One subscription , these insights appear in your analytics automatically. You can see which threat actors are hitting your site and which industries those IPs usually target, allowing you to verify traffic patterns before "flipping the switch" to block. These detections execute with negligible latency, ensuring your performance remains lightning-fast while providing the high-confidence data needed to build robust security policies.
While this initial release focuses on IP-based matching, we are already looking toward extending these capabilities to JA3 fingerprints and domain-based matching. This will allow you to block malicious traffic even when attackers rotate IPs, by identifying the unique software signatures or malicious destination links they use in their payloads. New WAF fields To make this possible, we've exposed the following specific signals directly to the WAF engine: Field Description cf.
intel. ip. attacker_names Names of known threat groups (e.
g. , CRAVENFLEA ). cf.
intel. ip. target_industries Industries targeted by this IP (e.
g. , Cryptocurrency , Automotive ). cf.
intel. ip. attacker_countries The source country of the threat event.
cf. intel. ip.
target_countries The countries targeted by the threat event. cf. intel.
ip. datasets The source feed providing the data (e. g.
, ddos , waf ). Example rule expressions Because a single IP address could be associated with multiple threat actors or targeted industries simultaneously, these fields are represented as arrays. We use the any() function and [*] wildcard to check whether any value within that threat profile matches your criteria: Block known DDoS participants targeting your region: any(cf.
intel. ip. target_countries[*] == "FR") and any(cf.
intel. ip. datasets[*] == "ddos") Protect against specific threat actors targeting the Finance sector: any(cf.
intel. ip. target_industries[*] == "Banking & Financial Services") and any(cf.
intel. ip. attacker_names[*] == "BLACKBASTA") Broad protection against specific high-risk origin countries: any(cf.
intel. ip. attacker_countries[*] == "IR") How to use Threat Events data in your workflows Whether you prefer a UI-driven approach or Infrastructure as Code , these fields are integrated into your existing workflows.
The WAF rule builder (API & Terraform) For teams that prefer Infrastructure as Code, the new cf. intel fields are fully integrated into the WAF rule builder for WAF custom rules and rate limiting . You can write complex expressions using the same syntax you use today.
Because these are standard WAF fields, they are fully supported via the Cloudflare API and Terraform, allowing you to automate threat blocking across your selected domains or even on your whole account. New fields added to the WAF rule builder to allow users to choose the relevant configuration based on the Threat Events indicators. Visibility in Security Analytics Deployment is only half the battle.
All matches triggered by these threat intelligence fields are logged in Security Analytics . You can drill down into your traffic to see exactly which rule was triggered and which specific indicator matched. These enriched logs allow for faster auditing and postmortem analysis when a rule triggers.
Threat event matches surface in Security Analytics, with full context and a one-click option to create a custom security rule. One-click rule from the Threat Events dashboard If you are already using the Threat Intelligence Dashboard to investigate trends, you don't have to copy and paste IP lists.
Originally published at blog.cloudflare.com
