diff --git a/src/content/docs/security-center/indicator-feeds.mdx b/src/content/docs/security-center/indicator-feeds.mdx index 3c4b4b86f6fa84..4fbe3457eabc0f 100644 --- a/src/content/docs/security-center/indicator-feeds.mdx +++ b/src/content/docs/security-center/indicator-feeds.mdx @@ -28,14 +28,104 @@ If your organization is interested in becoming a provider or a subscriber, conta ### Create a Custom Indicator Feed -Providers can create and manage a Custom Indicator Feed with the [Indicator API endpoints](/api/operations/custom-indicator-feeds-get-indicator-feeds): +Providers can create and manage a Custom Indicator Feed with the [Custom Indicator Feeds API endpoints](/api/operations/custom-indicator-feeds-get-indicator-feeds): + +1. Contact your account team to configure your account as an indicator feed provider. +2. Create a feed with the [Create new indicator feed endpoint](/api/operations/custom-indicator-feeds-create-indicator-feeds). Make note of the `feed_id` generated for your feed. For example: + + ```bash title="Create new indicator feed" + curl "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds" \ + --header 'Content-Type: application/json' \ + --header 'X-Auth-Email: ' \ + --header 'X-Auth-Key: ' \ + --data '{ + "description": "Custom indicator feed to detect threats", + "name": "threat_indicator_feed" + }' + ``` + + ```json output {3} + { + "result": { + "id": 10, + "name": "threat_indicator_feed", + "description": "Custom indicator feed to detect threats", + "created_on": "2024-09-17T21:16:09.412Z", + "modified_on": "2024-09-17T21:16:09.412Z" + }, + "success": true, + "errors": [], + "messages": [] + } + ``` + +3. Upload data to the feed with the [Update indicator feed data endpoint](/api/operations/custom-indicator-feeds-update-indicator-feed-data). Uploaded indicator data must be in a [`.stix2`](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file. + + ```bash title="Update indicator feed data" + curl --request PUT \ + "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ + --header 'Content-Type: multipart/form-data' \ + --header 'X-Auth-Email: ' \ + --header 'X-Auth-Key: ' \ + --form 'source=@/path/to/file' + ``` + + ```json output + { + "result": { + "file_id": 1, + "filename": "snapshot_file.unified", + "status": "unified" + }, + "errors": [], + "messages": [], + "success": true + } + ``` -1. Create a feed with the [Create new indicator feed endpoint](/api/operations/custom-indicator-feeds-create-indicator-feeds). Feeds are lists of indicators. -2. Upload data to the feed with the [Update indicator feed data endpoint](/api/operations/custom-indicator-feeds-update-indicator-feed-data). Uploaded indicator data must be in a [`.stix2`](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file. :::note Indicator feeds use a snapshot system. To update feeds with new data, providers must upload a file containing all previous and new indicators. ::: -3. Grant access to subscribers with the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission). Any administrator of the account that owns the feed must add subscribers' `account_tag`s to the feed's allowed subscribers list. + +4. (Optional) Verify the status of your feed upload with the [Get indicator feed data endpoint](/api/operations/custom-indicator-feeds-get-indicator-feed-data). For example: + + ```bash title="Get indicator feed data" + curl --request GET \ + "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//data" \ + --header 'Content-Type: application/json' \ + --header 'X-Auth-Email: ' \ + --header 'X-Auth-Key: ' + ``` + + ```json output {8} + { + "result": { + "id": 10, + "name": "threat_indicator_feed", + "description": "Custom indicator feed to detect threats", + "created_on": "2023-08-01T18:00:26.65715Z", + "modified_on": "2023-08-01T18:00:26.65715Z", + "latest_upload_status": "Complete" + }, + "success": true, + "errors": [], + "messages": [] + } + ``` + +5. Grant access to subscribers with the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission). You can add subscribers to the feed's allowed subscribers list using their [account IDs](/fundamentals/setup/find-account-and-zone-ids/). For example: + + ```bash title="Update indicator feed data" + curl --request PUT \ + "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ + --header 'Content-Type: multipart/form-data' \ + --header 'X-Auth-Email: ' \ + --header 'X-Auth-Key: ' \ + --data '{ + "account_tag": "823f45f16fd2f7e21e1e054aga4d2859", + "feed_id": 10 + }' + ``` ### Use a feed in Gateway diff --git a/src/content/partials/security-center/indicator-feeds-overview.mdx b/src/content/partials/security-center/indicator-feeds-overview.mdx index 16668deb063f8b..b87ca9d69cb901 100644 --- a/src/content/partials/security-center/indicator-feeds-overview.mdx +++ b/src/content/partials/security-center/indicator-feeds-overview.mdx @@ -8,4 +8,4 @@ Cloudflare threat intelligence data consists of a data exchange between provider A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups. -Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Indicator Feeds permissions endpoint](/api/operations/custom-indicator-feeds-add-permission). +Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission).