# Indicator Feeds ## Get indicator feeds owned by this account `client.intel.indicatorFeeds.list(IndicatorFeedListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/intel/indicator-feeds` Retrieves details for all accessible custom threat indicator feeds. ### Parameters - `params: IndicatorFeedListParams` - `account_id: string` Identifier ### Returns - `IndicatorFeedListResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const indicatorFeedListResponse of client.intel.indicatorFeeds.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(indicatorFeedListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 1, "created_on": "2023-05-12T12:21:56.777653Z", "description": "user specified description 1", "is_attributable": false, "is_downloadable": false, "is_public": false, "modified_on": "2023-06-18T03:13:34.123321Z", "name": "user_specified_name_1" }, { "id": 2, "created_on": "2023-05-21T21:43:52.867525Z", "description": "User specified description 2", "is_attributable": false, "is_downloadable": false, "is_public": false, "modified_on": "2023-06-28T18:46:18.764425Z", "name": "user_specified_name_2" } ] } ``` ## Get indicator feed metadata `client.intel.indicatorFeeds.get(numberfeedId, IndicatorFeedGetParamsparams, RequestOptionsoptions?): IndicatorFeedGetResponse` **get** `/accounts/{account_id}/intel/indicator-feeds/{feed_id}` Retrieves details for a specific custom threat indicator feed. ### Parameters - `feedId: number` Indicator feed ID - `params: IndicatorFeedGetParams` - `account_id: string` Identifier ### Returns - `IndicatorFeedGetResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `last_upload_summary?: LastUploadSummary` Summary of indicator counts from the last successful upload to this feed. Populated by the custom-threat-feeds loader at the end of each successful load. Absent (omitted) when no upload has completed successfully or the upload errored before the summary write. Surfaces silent-failure paths so operators can see when their indicators were dropped (popularity allowlist, expired valid_until, etc.) without reading loader logs. - `persisted?: Persisted` Net delta applied to feed indicators by this upload. Snapshot uploads emit both *_added and *_removed; delta-add emits only \*_added; delta-remove emits only *_removed. - `domains_added?: number` - `domains_removed?: number` - `ips_added?: number` - `ips_removed?: number` - `urls_added?: number` - `urls_removed?: number` - `skipped?: Skipped` Counts of indicators that were uploaded but did not reach QuickSilver, broken down by reason. - `allowlisted_domains?: number` Domains filtered by the global popularity allowlist at QS provisioning time. Popular domains (bing.com, naver.com, etc.) are protected from custom-threat-feed enforcement. - `expired_indicators?: number` Indicators in the upload whose valid_until is already in the past. These are not added to QS; the expiration cron handles cleanup. - `invalid_indicators?: number` Reserved for future use. Currently always 0 — the unifier aborts the entire upload on a single bad indicator. - `uploaded?: Uploaded` Indicator counts from the unified file the loader received - `domains?: number` Number of domain indicators in the upload - `ips?: number` Number of IP indicators in the upload - `urls?: number` Number of URL indicators in the upload - `latest_upload_status?: "Mirroring" | "Unifying" | "Loading" | 3 more` Status of the latest snapshot uploaded - `"Mirroring"` - `"Unifying"` - `"Loading"` - `"Provisioning"` - `"Complete"` - `"Error"` - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed - `provider_id?: number` The unique identifier for the provider - `provider_name?: string` The provider of the indicator feed ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const indicatorFeed = await client.intel.indicatorFeeds.get(12, { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(indicatorFeed.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": 1, "created_on": "2023-05-12T12:21:56.777653Z", "description": "example feed description", "is_attributable": false, "is_downloadable": false, "is_public": false, "last_upload_summary": { "persisted": { "domains_added": 2, "domains_removed": 1, "ips_added": 0, "ips_removed": 0, "urls_added": 0, "urls_removed": 0 }, "skipped": { "allowlisted_domains": 1, "expired_indicators": 0, "invalid_indicators": 0 }, "uploaded": { "domains": 3, "ips": 0, "urls": 0 } }, "latest_upload_status": "Complete", "modified_on": "2023-06-18T03:13:34.123321Z", "name": "example_feed_1", "provider_id": 1, "provider_name": "provider_name" } } ``` ## Create new indicator feed `client.intel.indicatorFeeds.create(IndicatorFeedCreateParamsparams, RequestOptionsoptions?): IndicatorFeedCreateResponse` **post** `/accounts/{account_id}/intel/indicator-feeds` Creates a new custom threat indicator feed for sharing threat intelligence data. ### Parameters - `params: IndicatorFeedCreateParams` - `account_id: string` Path param: Identifier - `description?: string` Body param: The description of the example test - `name?: string` Body param: The name of the indicator feed ### Returns - `IndicatorFeedCreateResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const indicatorFeed = await client.intel.indicatorFeeds.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(indicatorFeed.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": 1, "created_on": "2023-05-12T12:21:56.777653Z", "description": "example feed description", "is_attributable": false, "is_downloadable": false, "is_public": false, "modified_on": "2023-06-18T03:13:34.123321Z", "name": "example_feed_1" } } ``` ## Update indicator feed metadata `client.intel.indicatorFeeds.update(numberfeedId, IndicatorFeedUpdateParamsparams, RequestOptionsoptions?): IndicatorFeedUpdateResponse` **put** `/accounts/{account_id}/intel/indicator-feeds/{feed_id}` Revises details for a specific custom threat indicator feed. ### Parameters - `feedId: number` Indicator feed ID - `params: IndicatorFeedUpdateParams` - `account_id: string` Path param: Identifier - `description?: string` Body param: The new description of the feed - `is_attributable?: boolean` Body param: The new is_attributable value of the feed - `is_downloadable?: boolean` Body param: The new is_downloadable value of the feed - `is_public?: boolean` Body param: The new is_public value of the feed - `name?: string` Body param: The new name of the feed ### Returns - `IndicatorFeedUpdateResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const indicatorFeed = await client.intel.indicatorFeeds.update(12, { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(indicatorFeed.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": 1, "created_on": "2023-05-12T12:21:56.777653Z", "description": "example feed description", "is_attributable": false, "is_downloadable": false, "is_public": false, "modified_on": "2023-06-18T03:13:34.123321Z", "name": "example_feed_1" } } ``` ## Get indicator feed data `client.intel.indicatorFeeds.data(numberfeedId, IndicatorFeedDataParamsparams, RequestOptionsoptions?): IndicatorFeedDataResponse` **get** `/accounts/{account_id}/intel/indicator-feeds/{feed_id}/data` Retrieves the raw data entries in a custom threat indicator feed. ### Parameters - `feedId: number` Indicator feed ID - `params: IndicatorFeedDataParams` - `account_id: string` Identifier ### Returns - `IndicatorFeedDataResponse = string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const response = await client.intel.indicatorFeeds.data(12, { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(response); ``` ## Domain Types ### Indicator Feed List Response - `IndicatorFeedListResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Indicator Feed Get Response - `IndicatorFeedGetResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `last_upload_summary?: LastUploadSummary` Summary of indicator counts from the last successful upload to this feed. Populated by the custom-threat-feeds loader at the end of each successful load. Absent (omitted) when no upload has completed successfully or the upload errored before the summary write. Surfaces silent-failure paths so operators can see when their indicators were dropped (popularity allowlist, expired valid_until, etc.) without reading loader logs. - `persisted?: Persisted` Net delta applied to feed indicators by this upload. Snapshot uploads emit both *_added and *_removed; delta-add emits only \*_added; delta-remove emits only *_removed. - `domains_added?: number` - `domains_removed?: number` - `ips_added?: number` - `ips_removed?: number` - `urls_added?: number` - `urls_removed?: number` - `skipped?: Skipped` Counts of indicators that were uploaded but did not reach QuickSilver, broken down by reason. - `allowlisted_domains?: number` Domains filtered by the global popularity allowlist at QS provisioning time. Popular domains (bing.com, naver.com, etc.) are protected from custom-threat-feed enforcement. - `expired_indicators?: number` Indicators in the upload whose valid_until is already in the past. These are not added to QS; the expiration cron handles cleanup. - `invalid_indicators?: number` Reserved for future use. Currently always 0 — the unifier aborts the entire upload on a single bad indicator. - `uploaded?: Uploaded` Indicator counts from the unified file the loader received - `domains?: number` Number of domain indicators in the upload - `ips?: number` Number of IP indicators in the upload - `urls?: number` Number of URL indicators in the upload - `latest_upload_status?: "Mirroring" | "Unifying" | "Loading" | 3 more` Status of the latest snapshot uploaded - `"Mirroring"` - `"Unifying"` - `"Loading"` - `"Provisioning"` - `"Complete"` - `"Error"` - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed - `provider_id?: number` The unique identifier for the provider - `provider_name?: string` The provider of the indicator feed ### Indicator Feed Create Response - `IndicatorFeedCreateResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Indicator Feed Update Response - `IndicatorFeedUpdateResponse` - `id?: number` The unique identifier for the indicator feed - `created_on?: string` The date and time when the data entry was created - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `modified_on?: string` The date and time when the data entry was last modified - `name?: string` The name of the indicator feed ### Indicator Feed Data Response - `IndicatorFeedDataResponse = string` # Snapshots ## Update indicator feed data `client.intel.indicatorFeeds.snapshots.update(numberfeedId, SnapshotUpdateParamsparams, RequestOptionsoptions?): SnapshotUpdateResponse` **put** `/accounts/{account_id}/intel/indicator-feeds/{feed_id}/snapshot` Revises the raw data entries in a custom threat indicator feed. ### Parameters - `feedId: number` Indicator feed ID - `params: SnapshotUpdateParams` - `account_id: string` Path param: Identifier - `source?: string` Body param: The file to upload ### Returns - `SnapshotUpdateResponse` - `file_id?: number` Feed id - `filename?: string` Name of the file unified in our system - `status?: string` Current status of upload, should be unified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const snapshot = await client.intel.indicatorFeeds.snapshots.update(12, { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(snapshot.file_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "file_id": 1, "filename": "snapshot_file.unified", "status": "unified" } } ``` ## Domain Types ### Snapshot Update Response - `SnapshotUpdateResponse` - `file_id?: number` Feed id - `filename?: string` Name of the file unified in our system - `status?: string` Current status of upload, should be unified # Permissions ## List indicator feed permissions `client.intel.indicatorFeeds.permissions.list(PermissionListParamsparams, RequestOptionsoptions?): PermissionListResponse` **get** `/accounts/{account_id}/intel/indicator-feeds/permissions/view` Lists current access permissions for custom threat indicator feeds. ### Parameters - `params: PermissionListParams` - `account_id: string` Identifier ### Returns - `PermissionListResponse = Array` - `id?: number` The unique identifier for the indicator feed - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `name?: string` The name of the indicator feed ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const permissions = await client.intel.indicatorFeeds.permissions.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(permissions); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 1, "description": "An important indicator list", "is_attributable": false, "is_downloadable": false, "is_public": false, "name": "indicator_list_1" }, { "id": 2, "description": "An even more important indicator list", "is_attributable": true, "is_downloadable": false, "is_public": true, "name": "indicator_list_2" } ] } ``` ## Grant permission to indicator feed `client.intel.indicatorFeeds.permissions.create(PermissionCreateParamsparams, RequestOptionsoptions?): PermissionCreateResponse` **put** `/accounts/{account_id}/intel/indicator-feeds/permissions/add` Grants access permissions for a custom threat indicator feed to other accounts. ### Parameters - `params: PermissionCreateParams` - `account_id: string` Path param: Identifier - `account_tag?: string` Body param: The Cloudflare account tag of the account to change permissions on - `feed_id?: number` Body param: The ID of the feed to add/remove permissions on ### Returns - `PermissionCreateResponse` - `success?: boolean` Whether the update succeeded or not ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const permission = await client.intel.indicatorFeeds.permissions.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(permission.success); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "success": true } } ``` ## Revoke permission to indicator feed `client.intel.indicatorFeeds.permissions.delete(PermissionDeleteParamsparams, RequestOptionsoptions?): PermissionDeleteResponse` **put** `/accounts/{account_id}/intel/indicator-feeds/permissions/remove` Revokes access permissions for a custom threat indicator feed. ### Parameters - `params: PermissionDeleteParams` - `account_id: string` Path param: Identifier - `account_tag?: string` Body param: The Cloudflare account tag of the account to change permissions on - `feed_id?: number` Body param: The ID of the feed to add/remove permissions on ### Returns - `PermissionDeleteResponse` - `success?: boolean` Whether the update succeeded or not ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const permission = await client.intel.indicatorFeeds.permissions.delete({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(permission.success); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "success": true } } ``` ## Domain Types ### Permission List Response - `PermissionListResponse = Array` - `id?: number` The unique identifier for the indicator feed - `description?: string` The description of the example test - `is_attributable?: boolean` Whether the indicator feed can be attributed to a provider - `is_downloadable?: boolean` Whether the indicator feed can be downloaded - `is_public?: boolean` Whether the indicator feed is exposed to customers - `name?: string` The name of the indicator feed ### Permission Create Response - `PermissionCreateResponse` - `success?: boolean` Whether the update succeeded or not ### Permission Delete Response - `PermissionDeleteResponse` - `success?: boolean` Whether the update succeeded or not # Downloads