Back to all summaries

Turning Cloudflare’s threat indicators into real-time WAF rules

Alexandra Moraru, Harsh Saxena, Georgie Yoxall, Brian Seel
Security WAF Threat Intelligence Cloudforce One Product News

AI-Generated Summary: This is an automated summary created using AI. For the full details and context, please read the original post.

Cloudflare Integrates Threat Intelligence into WAF Marx

Cloudflare has announced a new integration that brings its vast threat intelligence directly into the WAF (Web Application Firewall) engine. This allows developers to write proactive rules using live intelligence data, enabling them to add more context to protect their applications against known bad actors. The integration uses specialized fields to populate WAF rules, including threat actor names, targeted industries, and attack types.

Key Technical Details

The integration is built on Cloudflare's always-on detection framework, which separates detection from mitigation. This allows threat intelligence to run in the background, enriching HTTP request analytics with insightful threat metadata. The integration exposes new WAF fields, including:

  • cf.intel.ip.attacker_names: Names of known threat groups
  • cf.intel.ip.target_industries: Industries targeted by this IP
  • cf.intel.ip.attacker_countries: Source country of the threat event
  • cf.intel.ip.target_countries: Countries targeted by the threat event
  • cf.intel.ip.datasets: Source feed providing the data

Practical Implications for Developers

Developers can now write rules that block traffic based on threat actor names, targeted industries, and attack types. For example, a rule can block traffic from an IP associated with a known threat group, such as CRAVENFLEA. The integration also provides insights into traffic patterns, allowing developers to verify traffic before blocking it. This eliminates the traditional "log vs. block" trade-off, providing visibility into how other signatures would have assessed the traffic.

Future Development

Cloudflare is already looking to extend the capabilities to JA3 fingerprints and domain-based matching, allowing developers to block malicious traffic even when attackers rotate IPs.

Want to read the full article?

Read Full Post on Cloudflare Blog