--- title: Cloudflare Security Center description: Review security insights, investigate threats, and protect your brand from impersonation. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare Security Center Cloudflare Security Center brings together your Cloudflare security products, threat intelligence from Cloudflare's global network, and configuration analysis into a unified security intelligence solution. Security Center enables you to strengthen your security posture by: * **Mapping your attack surface** — identifying the Internet-facing assets (domains, DNS records, and IP addresses) associated with your Cloudflare account * **Providing asset inventory and discovery** — listing the infrastructure Cloudflare detects across your account so you can review what is exposed * **Identifying potential security risks, misconfigurations, and vulnerabilities** — running automated scans that compare your current Cloudflare configuration against ideal settings * **Helping you mitigate these risks** — connecting each finding to the relevant Cloudflare product setting so you can resolve issues from the dashboard ## Main features * **[Security Insights](https://developers.cloudflare.com/security/security-insights/)**: Review and manage potential security risks and vulnerabilities associated with your IT infrastructure. Security Insights scans your Cloudflare account settings — including DNS records, SSL/TLS certificates, WAF configurations, and Access configurations — and reports findings with severity levels. * **[Infrastructure](https://developers.cloudflare.com/security-center/infrastructure/)**: Review and manage your IT infrastructure. The Infrastructure tab displays the domains, IP addresses, and other assets associated with your Cloudflare account. * **[Investigate](https://developers.cloudflare.com/security-center/investigate/)**: Investigate threats using data from Cloudflare's global network. Look up any IP address, domain, or hostname to view its category, country of origin, and passive DNS records. * **[Security Reports](https://developers.cloudflare.com/analytics/account-and-zone-analytics/app-security-reports/)** (beta): Gain visibility into requests blocked or challenged by Cloudflare application security products, including [HTTP DDoS Protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/), [WAF](https://developers.cloudflare.com/waf/), and [Bot Management](https://developers.cloudflare.com/bots/). * **[Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/)** (beta): Search for newly registered domains that may be attempting to impersonate your brand. Brand Protection monitors for typosquatting, homoglyph attacks, and service concatenation. [ Get started ](https://developers.cloudflare.com/security-center/get-started/) --- ## Availability Cloudflare Security Center is available to customers on all plans. The frequency of automatic security scans depends on your Cloudflare plan, ranging from every 7 days on Free, Pro, and Business plans to every 3 days on Enterprise plans. Refer to [Scan frequency](https://developers.cloudflare.com/security/security-insights/how-it-works/#scan-frequency) for more information. If you have any comments, questions, or bugs to report, create a post in the [Cloudflare Community forum ↗](https://community.cloudflare.com/c/security/security-center/65). ## Limitations * Users with an [Administrator Read Only](https://developers.cloudflare.com/fundamentals/manage-members/roles/#account-scoped-roles) role cannot access the Cloudflare Security Center. * Only Cloudflare accounts with at least one Business or Enterprise zone (domain on your account), or accounts on the Teams Standard or Teams Enterprise plans, can manually start a new scan. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}}]} ``` --- --- title: Get started description: Enable Security Insights to scan your account for misconfigurations and vulnerabilities. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Get started Security Center scans your Cloudflare account configuration and identifies potential security risks, misconfigurations, and vulnerabilities across your domains. This guide covers the initial setup. ## Prerequisites * A Cloudflare account. * At least one [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones) (domain or subdomain) added to your Cloudflare account. ## Enable Security Insights and start initial scan Security Insights scans are enabled by default. The scan reviews your Cloudflare account settings and product configurations across all your domains, then reports any issues it finds as [insights](https://developers.cloudflare.com/security/security-insights/) — potential security risks, misconfigurations, or vulnerabilities. Security Insights start scans by default. Security Insights will scan your Cloudflare environment and provide you with a list of detected [insights](https://developers.cloudflare.com/security/security-insights/). Refer to [How it works](https://developers.cloudflare.com/security/security-insights/how-it-works/) to learn more about how Security Insights perform a scan. The initial scan time depends on the number of IT assets in all the domains of your Cloudflare account. When the scan is complete, the status of the page will change from **Scan in Progress** to **Last scan performed on: ``**. You can decide to stop a scan, and restart a scan later. To disable scans: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Go to **Disable Security Center scans**, select **Disable scans**. To restart a scan: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select **Scan now**. ### Start a new scan To manually start a scan: 1. In the Cloudflare dashboard, go to the **Infrastructure** page. [ Go to **Infrastructure** ](https://dash.cloudflare.com/?to=/:account/security-center/inventory) 2. Select **Scan now**. Note Only accounts with at least one Business or Enterprise zone, or accounts on the Teams Standard or Teams Enterprise plan, can start manual scans. All plans receive automatic scans. ### Scan frequency After you enable Security Insights, Cloudflare performs scans automatically on a recurring schedule based on your plan: | Plan | Scan frequency | On-demand scans | | ---------------------- | -------------- | --------------- | | Free, Pro, or Business | Every 7 days | Yes | | Enterprise | Every 3 days | Yes | For more details, refer to [How it works](https://developers.cloudflare.com/security/security-insights/how-it-works/#scan-frequency). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/get-started/","name":"Get started"}}]} ``` --- --- title: Threat Intelligence APIs description: Query Cloudflare threat intelligence data for IPs, domains, ASNs, and more. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Threat Intelligence APIs Cloudflare provides a series of endpoints covering various areas of internet security and insights. Based on your Cloudflare plan type, the [limit](https://developers.cloudflare.com/security-center/intel-apis/limits/) of API calls will vary per month. | Intelligence Endpoint | Definition | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [ASN Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/asn/methods/get/) | Provides an overview of the Autonomous System Number (ASN) and a list of subnets for it. | | [Custom Indicator Feed Download](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/downloads/) | Provides the ability to download any custom indicator feeds that users create. | | [Domain Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/domains/methods/get/) | Provides security details and statistics about a domain. | | [Domain History](https://developers.cloudflare.com/api/resources/intel/subresources/domain%5Fhistory/methods/get/) | Provides historical security threat and content categories that are currently and previously assigned to a domain. | | [IP Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/ips/methods/get/) | Provides the geolocation, ASN, infrastructure type of the ASN, and any security threat categories of an IP address. | | [Passive DNS by IP](https://developers.cloudflare.com/api/resources/intel/subresources/dns/methods/list/) | Provides a list of all the domains, including first seen and last seen dates, that have resolved to a specific IP address. | | [Phishing Intelligence](https://developers.cloudflare.com/api/resources/brand%5Fprotection/methods/url%5Finfo/) | Provides phishing details about a URL. | | [Miscategorization Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/) | Enables users to submit requests for modifying a domain's category, subsequently undergoing review by the Cloudflare Intelligence team. | | [Priority Intelligence Requirements](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/priority/methods/create/) | Provides a structured approach to identifying intelligence gaps, formulating precise requirements, and organizing them into categories. | | [Request for Information](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/methods/create/) | Creates a targeted inquiry for specific intelligence insights to help organizations understand and respond to imminent security threats and vulnerabilities. | | [Threat Events](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/scans/subresources/results/methods/get/) | Allows customers to look into the Cloudflare telemetry and threat actor activity on the Cloudflare network. | | [WHOIS](https://developers.cloudflare.com/api/resources/intel/subresources/whois/methods/get/) | Provides the WHOIS registration information for a specific domain. | | [DDoS Botnet Threat Feed](https://developers.cloudflare.com/ddos-protection/botnet-threat-feed/)(early access) | Provides information to service providers about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. | | [Cloudforce One](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/assets/methods/create/) | Enable users to list, delete, get, or update a request asset. | | [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) | Provides the ability to create and delete queries, download matches for logo and string queries, read matches for logo and string queries. | ## API Examples Below you can find examples of Threat Intelligence API calls. Make sure you are using an [API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the appropriate edit permissions. For comprehensive details, navigate to the respective API documentation using the links above. ### ASN Intelligence Get ASN Overview Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/asn/13335" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "asn": 13335, "description": "CLOUDFLARENET", "country": "US", "type": "isp" }, "success": true, "errors": [], "messages": [] } ``` ### Custom Indicator Feed Download Download Custom Indicator Feed Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/10d79d097895ae7ed7942a2b3832186c/intel/indicator-feeds/31/download" \ --header "Authorization: Bearer " | jq . # Example response: { "result": [ { "type": "bundle", "id": "bundle--f4a735b7-b330-465d-8e6e-87b3c6a01287", "objects": [ { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d0ad6e0-3d49-4575-a0cb-d0e5c8b81f08", "created": "2024-07-18T00:00:00Z", "modified": "2024-07-18T00:00:00Z", "name": "Malicious domain ahilesopolker.com", "description": "This domain is associated with malicious activity.", "pattern": "[domain-name:value = 'ahilesopolker.com']", "pattern_type": "stix", "valid_from": "2024-07-18T00:00:00Z" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b252f8d7-5b63-4b59-9d58-8f313db76c35", "value": "ahilesopolker.com", "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "created": "2024-07-18T00:00:00Z", "modified": "2024-07-18T00:00:00Z" } ], }, "success": true, "errors": [], "messages": [] } ``` ### Domain Intelligence Get Domain Details Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/domain?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "domain": "cloudflare.com", "resolves_to_refs": [ { "id": "ipv4-addr--71f6bb54-e0c5-5e7d-b939-5698fc15a102", "value": "104.16.133.229" }, { "id": "ipv4-addr--015b0df4-7fcd-5409-9b56-cfd300c662f6", "value": "104.16.132.229" }, { "id": "ipv6-addr--4a7455cd-e8d0-5bfb-8bdb-f6ebb1759508", "value": "2606:4700::6810:85e5" }, { "id": "ipv6-addr--68f89579-7204-5ebd-a851-e91b3a86fc6d", "value": "2606:4700::6810:84e5" } ], "application": {}, "content_categories": [ { "id": 155, "super_category_id": 26, "name": "Technology" }, { "id": 26, "name": "Technology" } ], "additional_information": {}, "type": "Apex domain", "notes": "Apex domain given." }, "success": true, "errors": [], "messages": [] } ``` ### Domain History Get Domain History Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/domain-history?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . { "result": [ { "domain": "cloudflare.com", "categorizations": [ { "categories": [ { "id": 155, "name": "Technology" } ], "start": "2020-12-16T19:49:30.533482Z", "end": "2023-05-31T08:12:53.547029Z" }, { "categories": [ { "id": 115, "name": "Login Screens" }, { "id": 155, "name": "Technology" } ], "start": "2023-05-31T08:12:53.547029Z" } ] } ], "success": true, "errors": [], "messages": [] } ``` ### IP Intelligence Get IP Overview Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/ip?ipv4=1.1.1.1" \ --header "Authorization: Bearer " | jq . # Example response: { "result": [ { "ip": "1.1.1.1", "belongs_to_ref": { "id": "autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8", "value": 13335, "type": "isp", "country": "US", "description": "CLOUDFLARENET" }, "ip_lists": null, "ptr_lookup": { "ptr_domains": [ "one.one.one.one." ], "ptr_lookup_errors": "" }, "iana_reservations": [] } ], "success": true, "errors": [], "messages": [] } ``` ### Passive DNS by IP Get Passive DNS by IP Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/dns?ipv4=1.1.1.1&start=2023-07-15&end=2023-07-18&per_page=5" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "reverse_records": [ { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "internet-ping.svc.starlink.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "one.one.one.one" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "ping.ui.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "ping.ubnt.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "bflow.tiki.video" } ], "count": 778, "page": 1, "per_page": 5 }, "success": true, "errors": [], "messages": [] } ``` ### Phishing Intelligence Get results for a URL scan Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/brand-protection/url-info?url=http://worcester-realistic-ellen-portland.trycloudflare.com/login.html" \ --header "Authorization: Bearer " | jq . # Example response: { "errors": [], "messages": [], "result": [ { "categorizations": [], "model_results": [ { "model_name": "MACHINE_LEARNING_v2", "model_score": 0.999 } ], "rule_matches": [ { "description": "Match frequently used phishing kit (Discord, Facebook, Instagram, Twitter)", "name": "phishkit.social" } ], "scan_status": { "last_processed": "Wed, 19 Jul 2023 14:15:28 GMT", "scan_complete": true, "status_code": 200, "submission_id": 23098147 }, "url": "http://worcester-realistic-ellen-portland.trycloudflare.com/login.html" } ], "success": true } ``` ### Miscategorization Intelligence Create Miscategorization Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/miscategorization" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "content_adds": [ 82 ], "content_removes": [ 82 ], "indicator_type": "url", "ip": null, "security_adds": [ 117, 131 ], "security_removes": [ 117 ], "url": "https://wrong-category.example.com" }' # Example response: { "result": "", "success": true, "errors": [], "messages": [] } ``` ### WHOIS Get WHOIS Record Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/whois?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "domain": "cloudflare.com", "created_date": "2009-02-17", "updated_date": "2017-05-24", "registrant": "DATA REDACTED", "registrant_org": "DATA REDACTED", "registrant_country": "United States", "registrant_email": "https://domaincontact.cloudflareregistrar.com/cloudflare.com", "registrar": "CloudFlare, Inc.", "nameservers": [ "ns3.cloudflare.com", "ns4.cloudflare.com", "ns5.cloudflare.com", "ns6.cloudflare.com", "ns7.cloudflare.com" ] }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}}]} ``` --- --- title: Limits description: Limits image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Limits ## API request limits All API calls made to Threat Intelligence endpoints will contribute to the monthly quota. Additionally, utilizing features within the Security Center such as Investigate and Brand Protection, or other products, such as client-side security, which also leverage the Security Intelligence APIs, will also contribute to the consumption of the quota. These request limits currently do not apply to the DDoS Botnet Threat Feed API. | Cloudflare Plan | Calls per month | | ---------------------- | --------------- | | Free | 100 | | Pro | 100 | | Business | 100 | | Enterprise | 2,500 | | Cloudforce One Core | 10,000 | | Cloudforce One Premier | 50,000 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/intel-apis/limits/","name":"Limits"}}]} ``` --- --- title: Manage miscategorization reports description: Submit domain miscategorization reports using the Cloudflare API. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage miscategorization reports This guide will show you how to manage miscategorization of reports. To complete this guide, you will need to generate an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/). 1. Create an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) if you do not have one already. 2. Choose **Custom Token**. 3. Name the token, and grant permissions. 4. Send a `POST` request to the miscategorization [API endpoint ↗](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/). You can find an example below: Example of a POST request to miscategorization API ``` export URL="https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/intel/miscategorization" curl -X POST "$URL" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ --data '{ "content_adds": [ ], "content_removes": [ ], "indicator_type": "domain", "ip": null, "security_adds": [ 115 ], "security_removes": [ ], "url": "cloudflare.com" }' ``` You should receive a response with the value `"success": true`: ``` { "result": "", "success": true, "errors": [], "messages": [] } ``` Once you send the request, the Cloudflare Support team will receive it and will be able to take action. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/intel-apis/manage-miscategorization-reports/","name":"Manage miscategorization reports"}}]} ``` --- --- title: Cloudforce One description: Access Cloudflare threat intelligence, reports, and automated security rules. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ AI ](https://developers.cloudflare.com/search/?tags=AI)[ AI Agents ](https://developers.cloudflare.com/search/?tags=AI%20Agents) # Cloudforce One Note You must have a Cloudforce One subscription to access Cloudforce One on the dashboard. Cloudforce One is Cloudflare's Threat Intelligence Platform (TIP). It collects and correlates threat data from Cloudflare telemetry, then surfaces that data as visualizations, automated rules, and analyst-reviewed intelligence. Security Operations Center ([SOC ↗](https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-a-security-operations-center-soc/)) teams use Cloudforce One to investigate threats, track adversaries, and take action — such as pushing firewall rules or exporting indicators. ## Access Cloudforce One Note You must have a **Cloudforce One subscription** to access the platform. To access Cloudforce One: 1. In the Cloudflare dashboard, go to the **Threat intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) You can also use Cloudforce One via the [REST API](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/assets/). The Threat Intelligence page contains four sections: * **Threat Events** — View and analyze threat intelligence data collected across the Cloudflare network. * **Priority Intelligence Requirements (PIRs)** — Define the intelligence topics your organization needs to track. PIRs help you identify gaps in your threat coverage. * **Requests for Information (RFIs)** — Submit specific queries to the Cloudforce One analysis team. * **Reports** — Read the latest threat reports published by Cloudforce One. ## Analyze threat events Threat events represent Cloudflare telemetry and threat actor activity observed on the Cloudflare network. Use threat events to investigate threats targeting your organization or your industry. To access threat events, go to the **Threat intelligence** page in the Cloudflare dashboard. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) You can also access threat events via the [API](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/). Cloudforce One customers have access to the following datasets: * Advanced Persistent Threats (APTs) — the default dataset * [DDoS ↗](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) attacks * Cybercrime * Compromised devices * Residential proxies * [WAF](https://developers.cloudflare.com/waf/) attacks ### Identify the adversary The Cloudflare dashboard provides visualizations that include: * **Sankey diagrams** — Flow diagrams that visualize the distribution of attacks across origins and targets. Use these to trace attack flows from origin infrastructure to targets. * **Industry distribution** — Identify whether campaigns are targeting your specific sector (for example, finance or retail). ### Search for indicators Search across global datasets for specific indicators, including: * IP addresses and domains * File hashes * [JA3 fingerprints](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) — TLS client fingerprints used to profile specific SSL/TLS clients across different destinations * Threat insights — Link events to specific campaigns or threat actor names (for example, APT28). ### Receive alerts * **Saved views** — Save custom filters for recurring threat event investigations. * **Automated rules** — Generate security rules from threat data and push them to your Cloudflare [WAF](https://developers.cloudflare.com/waf/) or firewall. * **[STIX2 ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/) exports** — Export threat intelligence in STIX2 format for integration with third-party [SIEM ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-siem/) (Security Information and Event Management) or SOAR (Security Orchestration, Automation, and Response) platforms. ## Use Cloudy to analyze threat events You can use Cloudy, Cloudflare's AI Agent, to receive an analysis and summary of threat events. To analyze threat events using Cloudy: 1. In the Cloudflare dashboard, go to the **Threat intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) 2. Go to **Threat Events** \> **Analyze with Cloudy**. Cloudy will show you the top threat events, analyze them, and give you a summary of threat events. You can also decide to receive an analysis based on **Attacker**, **Indicator**, and more. For example, you can enter "Give me a summary of threat events for ABC Attacker". Cloudy will then summarize threat events for ABC attacker. ## Submit RFIs To submit RFIs (Request for Information): 1. In the Cloudflare dashboard, go to the **Threat Intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) 2. Select **Requests for Information**. 3. Select **New Request**. 4. Fill in the required fields, then select **Save**. List of RFI types The following request types are available when you submit a Request for Information: * **Binary Analysis - IOCs**: Conduct high-level malware analysis to produce [indicators of compromise (IOCs) ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/) such as a callback domain (a domain the malware communicates with) or IP address. * **Binary Analysis - Report**: A detailed analysis of a malware sample. The report includes an attribution assessment (identifying the likely threat actor) and extracts the configuration of the sample for further analysis. Use this type when you are investigating an incident or developing detection logic in an Endpoint Detection and Response ([EDR ↗](https://en.wikipedia.org/wiki/Endpoint%5Fdetection%5Fand%5Fresponse)) tool or network sensor. * **DDoS Attack**: Confirm whether a [DDoS attack ↗](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) is occurring against a specific website. The response includes any available indicators and potential attribution. * **Indicator Analysis - IOCs**: Conduct DNS lookups, origin pivots, and account pivots to provide indicators such as DNS resolutions, origin IPs, and subdomains. Analysis can include account registration patterns and victimology (identifying who was targeted). * **Indicator Analysis - Report**: A detailed analysis of indicators written in a formal, structured format. In addition to listing [IOCs ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/), the report explains how IOCs function within the attack chain and links them to specific campaigns, threat actors, and their TTPs (Tactics, Techniques, and Procedures). * **Passive DNS Resolution**: Search the historical pairing of an IP address to the domain it resolved to during a specified time period. * **Strategic Threat Research**: Analysis of broader, long-term trends across threat actors and industries. This type is supplemented by open-source intelligence and is intended to inform management and planning rather than to produce immediately actionable indicators. * **Threat Detection Signature - IOCs**: Develop a detection rule — such as a [YARA ↗](https://virustotal.github.io/yara/) rule — that identifies a sample, behavior, or network observable (for example, an IP address, domain, file hash, or HTTP request attribute). * **Threat Detection Signature - Report**: A detailed analysis that investigates a threat detection alert. Use this type when you need to prioritize your response effort or attribute activity to a threat actor. * **Traffic Analysis - IOCs**: Review HTTP telemetry for the IOCs in question. The response provides relevant, sanitized traffic that can include the victim country and, in some cases, victim Autonomous System Numbers (ASNs). This also identifies malicious files, payloads, and unusual file paths or request patterns. * **Traffic Analysis - Report**: Analysis of HTTP telemetry to identify patterns, anomalies, and indicators of malicious behavior. The report provides context for observed network behaviors and maps them to known TTPs of specific threat groups. * **Vulnerability**: Investigation to attribute vulnerability exploitation to a threat actor, or to identify IPs, domains, or threat actor groups exploiting a specific vulnerability. The response can include relevant, sanitized traffic demonstrating exploitation and identification of victim countries and industries. Once you select **Save**, the dashboard will display an overview of the shared information consisting of: * **Status**: When you submit the RFI, the status is `Open`. Once the team accepts the RFI, the status changes to `Accept`. When the team commits to answer your RFI, the status changes to `Complete`. * **Priority**: Priority of request. * **Request type**: Choose among a selection of request types, such as DDos Attack, Passive DNS Resolution, and more. * **Request content**: The content of the request. The **Responses** section allows you to add clarifying questions and comments. To view your RFI, select **Cloudforce One Requests** on the sidebar, locate your RFI, then select **View**. From here, you can also choose to edit your existing RFI by selecting **Edit**. To delete your RFI, the status must be `Open`. Go to the RFI you want to delete, and select **Delete**. On the pop-up, select **Delete** to confirm deletion. Once Cloudflare accepts and begins processing RFIs, you will not be able to delete RFIs. ### Upload and download attachment You can also choose to upload and download an attachment. Under **Attachments**, select the file you want to upload, then select **Save**. To download an attachment, select **Download** on the attachment. ## Improve your security posture or recover from a past incident Use Cloudforce One to improve your security posture or recover from a past incident. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com), go to **Application security** \> **Incident Response**. 2. **Choose service**: Select one of the services. 3. **Provide request details**: * Fill in the required information for the service you selected. Select **Next**. * Review your request, then select **Submit**. * After you submit your request, the Cloudforce One team will respond. ## Request help for active attack If you want to stop an active cyber attack, you can request assistance via the Cloudflare dashboard. 1. In the Cloudflare dashboard, go to the **Account home** page and select your account. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 1. On the top bar, select **Support** \> **Get help** \> **Under attack**. 2. Under **Request help to stop active cyberattacks**, select **Request help**. 3. The dashboard will show you a pop-up where you will need to enter and confirm your phone number. 4. Once you have entered your phone number, select **Confirm number and request help**. Requesting help from the dashboard will page an incident responder and you can expect a call-back as soon as possible. We advise you to wait for the call-back, and only use the phone-line in case you have not heard back from the team within 10 minutes. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/cloudforce-one/","name":"Cloudforce One"}}]} ``` --- --- title: Open Port Scanning description: Scan your IP ranges for open ports and receive daily notifications about changes. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Open Port Scanning Open Port Scanning allows [Magic Transit](https://developers.cloudflare.com/magic-transit/) and [Bring your Own IPs](https://developers.cloudflare.com/byoip/) users to efficiently monitor IP ranges for security vulnerabilities. This API enables users to scan their designated IP ranges, detect any open ports, and receive daily notifications regarding newly opened ports. You can access this feature via the [API](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/scans/subresources/config/). ## Prerequisites * Cloudforce One Administrator, Administrator and Super Administrator roles. * Account token: **Custom API Token** \> **Cloudforce One:Edit**. To create a custom API token: 1. From the [Cloudflare dashboard ↗](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** \> **API Tokens** for user tokens. Go to **Create Custom Token** \> **Get started**. 2. Enter a **Token name**, for example, `Open Port Scanning`. 3. In **Permissions**: * Choose **Account**. * Select **Cloudforce One** as the account. * Choose **Edit** access. 4. In Client IP Address Filtering: * In **Operator**, select `is in`. * In **Value**, enter a valid IP address. 5. Select **Continue to summary**. 6. Review the token, then select **Create Token**. Note The Open Port Scanner will run from a predetermined set of IPs. The Cloudforce One team recommends you to allowlist these IPs in your rules. ## Configure Open Port Scanning To configure Open Port Scanning, follow these steps: 1. **Create a new scan config**: * **IPs**: Enter the IP ranges you wish to monitor. Ensure that the ranges are correctly formatted to avoid scanning errors. The API will validate if the IPs requested are onboarded to Cloudflare and associated to the account belonging to the API token used. * **Frequency**: Enter the scan frequency in days. * **Ports**: Select the ports to scan. Choose among: * All * Default (refer to [Default ports](https://developers.cloudflare.com/security-center/cloudforce-one/open-port-scanning/#default-ports) for a comprehensive list) * List of specific ports 2. **Scan IPs**: Initiate the scanning process. The system will analyze the specified IP ranges to identify any open ports. 3. **Generate list of open ports**: Once the scan is complete, the API will generate a list of detected open ports for review and action. 4. **Select open ports to list**: Choose which open ports you would like to be notified about. You can exclude any ports that do not require immediate attention. 5. **View differences from previous scan**: The API will highlight any changes in open ports since the last scan, allowing you to quickly assess new vulnerabilities. 6. **Stop scanning**: If necessary, you can stop the scanning process at any time. 7. **Set up alerts**: Configure alerts for specific ports of interest. You will be notified immediately via email or webhook if any of these designated ports become newly open. Beta feature notice Open Port Scanning feature is currently in closed beta. The Cloudforce One team appreciates your feedback as the team works to enhance its functionality and user experience. If you want to subscribe to this feature or participate in the beta program, [join our closed beta for Port Scanning ↗](https://www.cloudflare.com/lp/open-port-scanning-beta/). ## Default ports List of default ports * `80` * `631` * `161` * `137` * `123` * `138` * `1434` * `445` * `135` * `67` * `23` * `53` * `443` * `21` * `139` * `22` * `500` * `68` * `520` * `1900` * `25` * `4500` * `514` * `49152` * `162` * `69` * `5353` * `111` * `49154` * `3389` * `110` * `1701` * `998` * `996` * `997` * `999` * `3283` * `49153` * `445` * `1812` * `136` * `139` * `143` * `53` * `2222` * `135` * `3306` * `2049` * `32768` * `5060` * `8080` * `1025` * `1433` * `3456` * `80` * `1723` * `111` * `995` * `993` * `20031` * `1026` * `7` * `5900` * `1646` * `1645` * `593` * `1025` * `518` * `2048` * `626` * `1027` * `587` * `177` * `1719` * `427` * `497` * `8888` * `4444` * `1023` * `65024` * `199` * `19` * `9` * `49193` * `1029` * `1720` * `49` * `465` * `88` * `1028` * `17185` * `1718` * `49186` * `548` * `113` * `81` * `6001` * `2000` * `10000` * `31337` ## Frequently Asked Questions 1. What IPs will the scan come from? * `2a09:bac0:1008:5000:1000:0000:0000:0050/104.30.128.13` * `2a09:bac0:1008:5000:1000:0000:0000:0048/104.30.129.33` * `2001:19f0:1000:2941:5400:4ff:fe70:2a7a/140.82.60.241` 2. Can the Port Scanner bypass other security rules configured? * The Cloudforce One team asks customers to ensure they allow the IPs for the scanner to run correctly. 3. How long do scans take? * Depending on the number of IP addresses and number of ports scanned, scans can take between a few minutes and up to 10 hours. 4. Can I stop automatic scanning? * Yes, you can decide at any point to stop scan and restart scans when it is convenient for you. 5. What are the limitations for the scans? * Scans are limited to ranges of up to 5,000 IPs. * The API scans both IPv4 and IPv6 IP addresses. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/cloudforce-one/","name":"Cloudforce One"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/cloudforce-one/open-port-scanning/","name":"Open Port Scanning"}}]} ``` --- --- title: Infrastructure description: View IT assets, domains, and IP addresses associated with your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Infrastructure User permission Only Super Admin users with edit permissions can start scans, turn scans off, or manage issues. The **Infrastructure** tab provides an overview of the IT assets associated with your Cloudflare account, including domains, IP addresses, and related configurations. Infrastructure data is populated by [Security Insights](https://developers.cloudflare.com/security/security-insights/) scans. To view data in this tab, first [enable Security Insights](https://developers.cloudflare.com/security-center/get-started/) and wait for the initial scan to complete. Initial scan time depends on the number of IT assets across the domains in your account. To open the **Infrastructure** tab, go to Account Home > **Security Center** \> **Infrastructure**. From the Infrastructure tab, you can: * **Filter the displayed information** — Narrow results by specific assets, domains, or configurations to focus on areas of interest. * **Print or download a PDF report** — Generate a report of your infrastructure overview for offline review or sharing with your team. * **Manage your security.txt file** — Create or update a [security.txt](https://developers.cloudflare.com/security-center/infrastructure/security-file/) file that provides security researchers with a standardized way to report vulnerabilities. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/infrastructure/","name":"Infrastructure"}}]} ``` --- --- title: Set up your security.txt file description: Manage your security.txt file via the dashboard or the API. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Set up your security.txt file You can manage your [security.txt ↗](https://en.wikipedia.org/wiki/Security.txt) file via the dashboard or the [API](https://developers.cloudflare.com/api/resources/security%5Ftxt/). Note When using the API, the preferred languages field name is `preferred_languages` (snake\_case). For example: `"preferred_languages": "en, de"`. To manage your security.txt file via the Cloudflare dashboard: * [ New dashboard ](#tab-panel-8190) * [ Old dashboard ](#tab-panel-8191) 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select your account and domain. 2. Go to **Security** \> **Settings** and filter by **Web application exploits**. 3. Under **Security.txt** \> **Configurations**, select the edit icon. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select your account and domain. 2. Go to **Security** \> **Settings**. 3. Next to **Enable Security.txt**, select **Edit Security.txt**. From here, you can create and manage your `security.txt` file to provide the security research team with a standardized way to report vulnerabilities. Fill in the following information: * **(Required) Contact**: You can enter one of the following to contact you about security issues: * An email address: The email address must start with `mailto:` (for example, `mailto:help@example.com`). * A phone number: The phone number must start with `tel:` (for example, `tel:+1 1234567890`). * A URL link: The URL link must start with `https://` (for example, `https://example.com`). Select **Add more** to add multiple contacts. * **(Required) Expires at**: Enter the expiration date and time of the `security.txt` file. * **Encryption**: A link to a key which security researchers can use to communicate with you. * **Acknowledgements**: A link to your acknowledgements page. * **Canonical**: Links to your `security.txt` file. * **Hiring**: A link to your security-related job openings. * **Policy**: A link to a policy describing what security researchers should do when searching for or reporting security issues. * **Preferred languages**: A list of language codes that your security team speaks. Once you have entered the necessary information, select **Save**. To edit your security.txt file: * Old dashboard: Select **Security** \> **Settings** \> **Edit Security.txt**. * New security dashboard: 1. Go to **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the edit icon. To download your security.txt file: * Old dashboard: Select **Security** \> **Settings** \> **Download Security.txt**. * New security dashboard: 1. Go to **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the download icon. To delete your security.txt file: * Old dashboard: * Select **Security** \> **Settings** \> **Delete Security.txt**. * New security dashboard: 1. Select **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the edit icon. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/infrastructure/security-file/","name":"Set up your security.txt file"}}]} ``` --- --- title: Investigate description: Look up threat intelligence for IPs, domains, URLs, and AS numbers. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Investigate User permission Investigate is available to all users. Every user can view existing URL scanner reports and initiate new URL scans. However, advanced intelligence features, including searching for IP and domain intelligence and passive DNS records, are restricted to users with the following roles: Super Admin, Administrator, Brand Protection, Cloudforce One Admin. Investigate allows you to view a domain’s category, the IP it belongs to, and whether the category has changed before. You can also see which records it points to, including the country of origin and passive DNS records. After searching with Investigate, you will get an API curl to retrieve the same search results. You can learn more about the IP addresses in your logs by searching via the IP address to view its category and threat data. Enter any IP address, domain name, and hostname to see how it has been categorized from a threat perspective. Investigate also shows [Web Application Firewall ↗](https://developers.cloudflare.com/waf/) analytics for your websites behind Cloudflare to help you discover what your vulnerabilities are, where attacks come from, and what to do about it. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}}]} ``` --- --- title: Change categorization description: Request domain categorization changes via the dashboard, Radar, or the API. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Change categorization Cloudflare sorts domains into categories based on their content and security type. You can request categorization changes via the [dashboard](#via-the-cloudflare-dashboard), [Cloudflare Radar](#via-cloudflare-radar), or the [API](#via-the-api). For a detailed list of categories, refer to [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). ## Via the Cloudflare dashboard To request a categorization change via the Cloudflare dashboard: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Search for the domain you want to change. 3. In **Domain overview**, select **Request to change categorization**. 4. Choose whether to change a [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) or a [content category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). 5. Choose which categories you want to add or remove from the domain. Content category limit A domain cannot have more than two associated content categories. To propose changes to categories of a domain with more than two existing categories, remove one or more of the existing categories. 6. Select **Submit** to submit your request for review. Requesting a security category change will trigger a deeper investigation by Cloudflare to confirm that the submission is valid. Requesting a content category change also requires Cloudflare validation, but the turnaround time for these submissions is usually shorter as it requires less investigation. Your category change requests will be revised by the Cloudflare team depending on the type of change. If your requests have been reviewed and applied by the Cloudflare team, the new categories will be visible in the Cloudflare dashboard in **Security Center** \> **Investigate**, as well as in [Cloudflare Radar ↗](https://radar.cloudflare.com/). Warning Cloudflare does not guarantee the category change will be approved. ## Via Cloudflare Radar To request recategorization via Cloudflare Radar, submit feedback in [Radar Domain Categorization ↗](https://radar.cloudflare.com/domains/feedback). ## Via the API To request a categorization change via the API: 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with permission to edit your Intel account. | **Permissions** | | | | --------------- | ----- | ---- | | Account | Intel | Edit | | **Account Resources** | | | --------------------- | ------------ | | Include | All accounts | 2. Make a call to the [miscategorization endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/) including the domain name and any categories you would like to add or remove. For example: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/miscategorization \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "content_adds": [ 82 ], "content_removes": [ 155 ], "indicator_type": "domain", "ip": null, "security_adds": [ 117, 131 ], "security_removes": [ 83 ], "url": "example.com" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/change-categorization/","name":"Change categorization"}}]} ``` --- --- title: Investigate threats description: Search for IP, domain, URL, or ASN intelligence in Security Center or Radar. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Investigate threats Users can investigate the details of an IP address, domain name, URL, or Autonomous System Number (ASN). You can find the Investigate feature in your Cloudflare account's Security Center and in [Cloudflare Radar ↗](https://radar.cloudflare.com/scan). You can search with Investigate by [IP address](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#ip-address), [domain](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#domain), [URL](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#url) and [AS number](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#as-number). Note Search methods are also available through the [API](https://developers.cloudflare.com/security-center/intel-apis/). ## IP Address An [IP address ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) is a unique address that identifies a server. It stands for [Internet Protocol ↗](https://www.cloudflare.com/learning/network-layer/internet-protocol/), which is the set of rules that allows servers to communicate with each other. IP address search allows you to search both [IPv4 and IPv6 ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) addresses and retrieve relevant information such as their pointer records, AS numbers and passive DNS records. ## Domain A [domain name ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-a-domain-name/) is a string of text that maps to an IP address. Domain names are used to help people remember where websites are hosted. Domain names are purchased through [registrars](https://developers.cloudflare.com/registrar/) and can be acquired easily by anyone. When you search for a domain name, Cloudflare will provide an overview of the domain's [category](#domain-categories) and IP addresses it currently resolves to. ### Domain categories For a detailed list of categories, refer to [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can [request category changes](https://developers.cloudflare.com/security-center/investigate/change-categorization/) for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team. As part of the domain search results, Cloudflare show the WHOIS details and a history of its category changes over time. ## AS Number An [AS number ↗](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) is a group of IP addresses belonging to and controlled by a single organization. The entire group of networks have a single unified routing policy. The [Internet Assigned Numbers Authority ↗](https://www.iana.org/) (IANA) is the organization responsible for managing the assignment and distribution of AS numbers. The AS number's routing policies are used by [BGP ↗](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) which is how Cloudflare's [anycast network ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) works. When you search for an AS number, Cloudflare will return registration data such as its country, description and type. It will also display data such as domain count, top 10 domains and subnets. With sufficient data, AS number search results will also return the geographical distribution of traffic in its network, application level attacks and network level attacks, each broken down by Cloudflare mitigation techniques and network protocols, respectively. ## Hash When you search for a hash, the Cloudflare dashboard will provide a URL report for that specific hash. To search using a hash: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter the hash, then select **Search**. 3. Select **View report** to view the report for your URL. ## URL When you search for a URL, Cloudflare will provide a list of recent scan reports for that specific URL, limited to the past 30 days. You can view previously generated reports or scan again to generate a new report. Different Cloudflare plans will have different [scan limitations](https://developers.cloudflare.com/security-center/investigate/scan-limits/). If you want to scan a URL: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter the URL, then select **Search**. Alternatively, to scan a URL, go to [Cloudflare Radar ↗](https://radar.cloudflare.com/) \> **URL scanner**. Enter the URL, then select **Publish**. Note You can use [Cloudflare Radar API](https://developers.cloudflare.com/radar/investigate/url-scanner/#use-the-api) to investigate threats. ### Visibility When generating a new scan report, the default visibility is set to `Unlisted`, but you have the option to set it to `Public`. By choosing `Public`, the generated scan will be available to all Cloudflare dashboard and Cloudflare Radar users alike, which will increase awareness of potentially malicious websites for others. We recommend choosing `Unlisted` if you are scanning infrastructure that is not intended to be shared with the wider Cloudflare community. ### Filters While viewing the most recent scans, you can use the filtering options. Selecting `All account scans` will display both `Unlisted` or `Public` scans initiated from your Cloudflare account. However, by selecting `All global scans`, only `Public` scans are displayed. ### Downloads You can download a report of your scan in HAR or JSON format. To download a report: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter your domain and select **Search**. 3. Once the report has been generated, select **Download** and choose between **Download HAR** or **Download JSON**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/investigate-threats/","name":"Investigate threats"}}]} ``` --- --- title: Scan limits description: Limits image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Scan limits URL scans are limited by search history, Public and Unlisted visibility, and requests per second across different Cloudflare plans. | Cloudflare Plan | Search history | Public scans (per month) | Unlisted scans (per month) | Rate limit | | ------------------ | -------------- | ------------------------ | -------------------------- | ---------------- | | **Free / Radar** | last 50 scans | 5,000 | none | 1 per 10 seconds | | **Self serve** | 30 days | 5,000 | 500 | 1 per 10 seconds | | **Enterprise** | 12 months | 10,000 | 5,000 | 12 per second | | **Cloudforce One** | Unlimited | 75,000 | 20,000 | 12 per second | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/scan-limits/","name":"Scan limits"}}]} ``` --- --- title: Brand Protection description: Detect phishing domains and impersonation attempts targeting your brand. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Phishing ](https://developers.cloudflare.com/search/?tags=Phishing)[ AI ](https://developers.cloudflare.com/search/?tags=AI) # Brand Protection Brand Protection allows you to proactively identify and mitigate domain impersonation and phishing attacks. By monitoring newly registered domains and visual assets across the Internet, Cloudflare helps protect your brand's reputation and prevents your customers or employees from submitting sensitive information to fraudulent sites. Common threats include: * [Typosquatting ↗](https://en.wikipedia.org/wiki/Typosquatting): For example, typing `cloudfalre.com` instead of `cloudflare.com`. * Concatenation of services (`cloudflare-service.com`) often registered by attackers to trick unsuspecting victims into submitting private information such as passwords. * [Homoglyph attacks ↗](https://en.wikipedia.org/wiki/IDN%5Fhomograph%5Fattack) that use lookalike characters to trick unsuspecting victims. User permission Access to Brand Protection is managed through [Cloudflare RBAC](https://developers.cloudflare.com/fundamentals/manage-members/roles/). Only users with the following roles can access and configure Brand Protection: * Super Admin * Admin * Brand Protection (custom role) ## Types of queries Cloudflare Brand Protection offers two distinct methods for monitoring impersonation: domain search and logo search. ### Domain search Search for domains based on text patterns, misspellings, or service combinations. To start searching for new domains that might be trying to impersonate your brand: 1. In the Cloudflare dashboard, go to the **Brand Protection** page. [ Go to **Brand protection** ](https://dash.cloudflare.com/?to=/:account/security-center/brand-protection) 2. In **String query**, provide a name for your query. You can add multiple brand phrases on the same query, and the results will generate matches for all of those. Once you entered the string queries, select **Search matches**. 3. In the **Character distance**, select from `0-3`. This defines how many characters a result can differ from your string (for example, a distance of 1 would catch `clpudflare.com`). The number of characters the results can differ from your domain. Note If a brand phrase or search term has less than five characters, you can only choose a max distance of `0` (zero). 4. You can select **Save query** to monitor it in the future and perform other actions, such as delete, clone and set up alerts, according to your Paid plan limits. 5. To export all matches from a saved query, select your **Query name** \> select the three dots > **Export matches**. In the section **Monitor Strings**, you can check all the string queries that you selected to monitor. You can delete, clone, or create notifications for a string query. Refer to [Brand Protection Alerts](#brand-protection-alerts) to set up notifications. You can also dismiss any domain matched in the query if you have investigated and deemed it benign or a false positive. Users can still access their previously dismissed matches by turning on the **Show dismissed matches** toggle in the Cloudflare dashboard. ### Logo search (AI-powered) Logo search uses computer vision to detect domains using your visual assets, even if the domain name does not contain your brand string. To set up a new logo query: 1. Select **Monitor Logos** and select **Add logo**. 2. Add a name for your query and upload your logo. Only the `.png`, `.jpeg`, and `.jpg` file extensions are supported. 3. Set the threshold: Set a match threshold (the minimum is 75%). A higher score ensures high-precision matches, while a lower score catches remixed or slightly altered versions of your logo. 4. Select **Save logo**. The system will now scan newly detected infrastructure for visual matches. The browser will return to the **Monitored Logos** page, where you can access your query and configure notifications. ## Investigate a query In this section, the dashboard displays: * **Domain overview** where you can request to [change categorization](https://developers.cloudflare.com/security-center/investigate/change-categorization/) and view the resolution history of your domain for up to seven days. * **WHOIS** that provides details about the date the domain was created, registrant and nameservers. * **Domain history** that provides information on the domain category and when it was last changed. Refer to [Investigate threats](https://developers.cloudflare.com/security-center/investigate/investigate-threats/) for more details. * **URL Reports** that provides information on any reported URL. To investigate a string query: 1. Go to the **Monitor Strings** or **Monitor Logos** section to view all your queries. 2. Select a monitored query to inspect all the domains that matched your query. 3. Next to the domain, select **Domain** or **URL**. This will trigger a search on the [**Investigate**](https://developers.cloudflare.com/security-center/investigate/) section in a separate tab. URL scanner will also be triggered from **Brand Protection** through **Security Center** \> **Investigate**. You will also have access to a report which will be generated automatically. The report will display screenshots of the matched domain, and the registrar of your domain. ## Report abuse Submit abuse report You can only submit an abuse report if your domain is with [Cloudflare Registrar ↗](https://www.cloudflare.com/products/registrar/), or if the IP used by the domain is hosted by Cloudflare. To submit abuse reports directly from the dashboard: 1. In the Cloudflare dashboard, go to the **Brand Protection** page. [ Go to **Brand protection** ](https://dash.cloudflare.com/?to=/:account/security-center/brand-protection) 2. Go to **Monitor Strings**, select the query you want to report. 3. Select **Report to Cloudflare**. 4. Fill in the details to submit an abuse report. 5. Select **Submit**. To view abuse reports, in the Cloudflare dashboard, go to the **Abuse Reports** page. [ Go to **Abuse reports** ](https://dash.cloudflare.com/?to=/:account/abuse-reports) You can review abuse reports against your zones and any mitigations taken against reports in response. You can also **Request review** of most mitigations. ## Brand Protection API The [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) allows for programmatic management and integration with your [SOC ↗](https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-a-security-operations-center-soc/) or [SIEM ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-siem/). Using the Brand Protection API, you can: * Manage queries: Create, edit, or delete string and logo queries. * Data retrieval: Read and download matches for automated ingestion. * Query editing: Update existing query parameters without losing historical data. ## Notifications and alerts Brand Protection integrates with Cloudflare's ANS (Alerts Notification Service) to provide configurable alerts when new domains are detected. Any matches that are found during the new domain search are then inserted into an internal alerts table which triggers an alert for the user. This allows you to receive real-time notifications and take immediate action to investigate and potentially block any suspicious domains that may be attempting to impersonate your brand. Brand Protection Alerts **Who is it for?** Customers who want a summary of activity related to [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/). **Other options / filters** You can set up Brand Protection Alerts on individual monitored queries. For more details, refer to [Brand Protection Alerts](https://developers.cloudflare.com/security-center/brand-protection/#brand-protection-alerts). **Included with** Professional plans or higher. **What should you do if you receive one?** Investigate and potentially block any suspicious domains that may be trying to impersonate your brand. Brand Protection Digest **Who is it for?** Customers who want a summary of activity related to [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/). **Other options / filters** You can set up Brand Protection Digest on individual monitored queries. For more details, refer to [Brand Protection Alerts](https://developers.cloudflare.com/security-center/brand-protection/#brand-protection-alerts). **Included with** Professional plans or higher. **What should you do if you receive one?** Investigate and potentially block any suspicious domains that may be trying to impersonate your brand. Logo Match Alerts **Who is it for?** Customers who want to receive a notification when the [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/) system detects a new domain which is using the uploaded logo and might be infringing copyright. **Other options / filters** You can select the query that you want to be alerted on. **Included with** Enterprise plans. **What should you do if you receive one?** Review the domains and URLs that are potentially impersonating your brand. Security Insights **Who is it for?** Customers who want to receive notifications based on security insights findings. **Other options / filters** You can select the insight(s) you want to be alerted on. **Included with** All Cloudflare plans. **What should you do if you receive one?** Review the insight and decide whether you want to resolve it, archive it, or export it. Abuse report **Who is it for?** Customers who want to be alerted in the event that an abuse report is filed against their website. **Other options / filters** You can filter the reports based on date, report status, report type, and domain. **Included with** All Cloudflare plans. **What should you do if you receive one?** View our guidance on [customer abuse report obligations](https://developers.cloudflare.com/fundamentals/reference/report-abuse/abuse-report-obligations/) and more information on how to [view and submit abuse reports](https://developers.cloudflare.com/fundamentals/reference/report-abuse/submit-report/). To set up a Brand Protection Alert: 1. Go to **Monitor Strings** and locate the query for which you would like to create notifications. 2. Select **alerts**. This should redirect you to the **Add Notification** page, where you can configure what you want to be notified about, and how. Note You can also set up the alerts from your [Notifications](https://developers.cloudflare.com/notifications/) menu. 3. Create a notification name, add a description (optional), and select the monitored queries. You can also add a Webhook, and a notification email. You can add multiple email addresses. 4. Select **Save**. Manage your notifications in the **All notifications** tab. You can disable, edit, delete, or test them. ## Subscriptions and limitations * Self-serve users can subscribe directly to add monitoring capacity to their account. * You may only use the Brand Protection search tools to search for domains that may be attempting to impersonate your brand or a brand that has authorized you to conduct such search on its behalf. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/brand-protection/","name":"Brand Protection"}}]} ``` --- --- title: Custom Indicator Feeds description: Receive curated threat intelligence feeds from Cyber Defense Collaboration groups. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Custom Indicator Feeds Cloudflare's threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the [HTTP/2 Rapid Reset attack ↗](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/). However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users. With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations. ## Publicly available feeds Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship. | Name | Description | Availability | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | | [Treasury Early Indicator Feed ↗](https://www.cloudflare.com/press-releases/2024/us-department-of-treasury-pnnl-finserv-threat-intel-feed/), Feed ID 14 | Threat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team. | Approved financial services organizations | | [UK NCSC Public Threat Indicators ↗](https://www.ncsc.gov.uk/information/pdns) Feed ID 24 | Recursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware. | All users | | Cloudforce One - Public Feed Feed ID 34 | Feed of indicators. | All users | ## Get started Cloudflare threat intelligence data consists of a data exchange between providers and subscribers. A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups. Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Grant permission to indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/permissions/methods/create/). If your organization is interested in becoming a provider or a subscriber, contact your account team. ### Create a Custom Indicator Feed Providers can create and manage a Custom Indicator Feed with the [Custom Indicator Feeds API endpoints](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/list/): 1. Contact your account team to configure your account as an indicator feed provider. 2. Create a feed with the [Create new indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/create/). Make note of the `feed_id` generated for your feed. For example: Create new indicator feed ``` curl "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds" \ --header 'Content-Type: application/json' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --data '{ "description": "Custom indicator feed to detect threats", "name": "threat_indicator_feed" }' ``` ``` { "result": { "id": 10, "name": "threat_indicator_feed", "description": "Custom indicator feed to detect threats", "created_on": "2024-09-17T21:16:09.412Z", "modified_on": "2024-09-17T21:16:09.412Z" }, "success": true, "errors": [], "messages": [] } ``` 3. Upload data to the feed with the [Update indicator feed data endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/snapshots/methods/update/). Uploaded indicator data must be in a [.stix2 ↗](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file. The [maximum upload file size](https://developers.cloudflare.com/r2/platform/limits/) is 4.995 GiB. Update indicator feed data ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ --header 'Content-Type: multipart/form-data' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --form 'source=@/path/to/file' ``` ``` { "result": { "file_id": 1, "filename": "snapshot_file.unified", "status": "unified" }, "errors": [], "messages": [], "success": true } ``` Note Indicator feeds use a snapshot system. To update feeds with new data, providers must upload a file containing all previous and new indicators. 4. (Optional) Verify the status of your feed upload with the [Get indicator feed data endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/data/). For example: Get indicator feed data ``` curl --request GET \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//data" \ --header 'Content-Type: application/json' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' ``` ``` { "result": { "id": 10, "name": "threat_indicator_feed", "description": "Custom indicator feed to detect threats", "created_on": "2023-08-01T18:00:26.65715Z", "modified_on": "2023-08-01T18:00:26.65715Z", "latest_upload_status": "Complete" }, "success": true, "errors": [], "messages": [] } ``` 5. Grant access to subscribers with the [Grant permission to indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/permissions/methods/create/). You can add subscribers to the feed's allowed subscribers list using their [account IDs](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). For example: Update indicator feed data ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ --header 'Content-Type: multipart/form-data' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --data '{ "account_tag": "823f45f16fd2f7e21e1e054aga4d2859", "feed_id": 10 }' ``` ### Use a feed in Gateway Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#indicator-feeds). 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. Select **DNS**. 2. To create a new DNS policy, select **Add a policy**. 3. Name your policy. 4. In **Traffic**, add a condition with the **Indicator Feeds** selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in **Value**. For example, you can block sites that appear in a feed: | Selector | Operator | Value | Action | | --------------- | -------- | ------------------- | ------ | | Indicator Feeds | in | _Threat Intel Feed_ | Block | 5. Select **Create policy**. For more information on creating Gateway policies, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/indicator-feeds/","name":"Custom Indicator Feeds"}}]} ``` --- --- title: Changelog description: Track the latest updates and changes to Security Center features. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security-center/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/security-center.xml) ## 2026-05-07 **CSV export and adjustable page density for RFIs** You can now export your Requests for Information (RFI) history to a **CSV document** and customize your dashboard view by choosing how many RFI records to load per page. #### Why this matters These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently: * The new **CSV export** allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry * With **adjustable page density**, you can now choose to load more records at once (10, 25 or 50) to scan through history faster Cloudforce One subscribers can find these new options in [Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information ↗](https://dash.cloudflare.com/?to=/:account/application-security/threat-intelligence/requests). ## 2026-05-06 **TAXII support added to Threat Events API** The Cloudforce One Threat Events API now supports [**TAXII** ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/) as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack. #### Why this matters * You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts. * By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules. * This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations. #### How to use it When calling the Threat Events API, you can now specify `taxii` in the `format` query parameter: `GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii` You can find the updated documentation in the [Cloudflare API Reference ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/methods/list#%28resource%29%20cloudforce%5Fone.threat%5Fevents%20%3E%20%28method%29%20list%20%3E%20%28params%29%20default%20%3E%20%28param%29%20format%20%3E%20%28schema%29). ## 2026-04-27 **Unified workspace for Brand Protection** We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view. #### What's new * You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table * You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place. * You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets. #### Key benefits * Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages * Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). ## 2026-04-08 **Real-time alerts and daily digests for Threat Events** You can now automate your threat monitoring by setting up custom alerts in your saved views. Instead of manually checking the dashboard for updates, you can subscribe to notifications that trigger whenever new data matches your specific filter sets, like new activity associated to a particular threat actor or spikes in activity within your industry. #### Stay ahead of emerging threats By linking your saved views to the Cloudflare Notifications Center, you can ensure the right information reaches your team at the right time. * **Immediate Alerts**: receive real-time notifications the moment a critical event is detected that matches your saved criteria. This is essential for high-priority monitoring, such as tracking active campaigns from specific APT groups. * **Daily Digests**: opt for a summarized report delivered once a day. This is ideal for maintaining situational awareness of broader trends, like regional activity shifts or industry-wide threat landscapes, without cluttering your inbox. ![Threat Events notifications](https://developers.cloudflare.com/_astro/threat-events-notifications.3Fl8LGOn_S9A1r.webp) #### How to get started To set up an alert, go to **Application Security** \> **Threat Intelligence** \> **Threat Events**. From there: 1. Choose your datasets and apply your desired filters and select **Save View** (or select an existing one). 2. Open the **Manage Saved Views** menu. 3. Select **Add Alert** next to your chosen view to configure your notification preferences in the Cloudflare dashboard. For more technical details on configuring notifications, refer to the [Threat Events documentation](https://developers.cloudflare.com/security-center/cloudforce-one/). ## 2026-03-18 **Real-time logo match preview** We are introducing **Logo Match Preview**, bringing the same pre-save visibility to visual assets that was previously only available for string-based queries. This update allows you to fine-tune your brand detection strategy before committing to a live monitor. #### What’s new: * Upload your brand logo and immediately see a sample of potential matches from recently detected sites before finalizing the query * Adjust your similarity score (from 75% to 100%) and watch the results refresh in real-time to find the balance between broad detection and noise reduction * Review the specific logos triggered by your current settings to ensure your query is capturing the right level of brand infringement If you are ready to test your brand assets, go to the [Brand Protection dashboard ↗](https://developers.cloudflare.com/security-center/brand-protection/) to try the new preview tool. ## 2026-03-06 **Dismiss and filter matches in Brand Protection** We have introduced new triage controls to help you manage your Brand Protection results more efficiently. You can now clear out the noise by dismissing matches while maintaining full visibility into your historical decisions. #### What's new * **Dismiss matches**: Users can now mark specific results as dismissed if they are determined to be benign or false positives, removing them from the primary triage view. * **Show/Hide toggle**: A new visibility control allows you to instantly switch between viewing only active matches and including previously dismissed ones. * **Persistent review states**: Dismissed status is saved across sessions, ensuring that your workspace remains organized and focused on new or high-priority threats. #### Key benefits of the dismiss match functionality: * Reduce alert fatigue by hiding known-safe results, allowing your team to focus exclusively on unreviewed or high-risk infringements. * Auditability and recovery through the visibility toggle, ensuring that no match is ever truly "lost" and can be re-evaluated if a site's content changes. * Improved collaboration as your team members can see which matches have already been vetted and dismissed by others. Ready to clean up your match queue? Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). ## 2026-02-23 **Saved views for Threat Events** **TL;DR:** You can now create and save custom configurations of the Threat Events dashboard, allowing you to instantly return to specific filtered views — such as industry-specific attacks or regional Sankey flows — without manual reconfiguration. #### Why this matters Threat intelligence is most effective when it is personalized. Previously, analysts had to manually re-apply complex filters (like combining specific industry datasets with geographic origins) every time they logged in. This update provides material value by: * Analysts can now jump straight into "Known Ransomware Infrastructure" or "Retail Sector Targets" views with a single click, eliminating repetitive setup tasks * Teams can ensure everyone is looking at the same data subsets by using standardized saved views, reducing the risk of missing critical patterns due to inconsistent filtering. Cloudforce One subscribers can start saving their custom views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events). ## 2026-02-19 **Cloudforce One Threat events graphs are now visible in the dashboard** We have introduced dynamic visualizations to the Threat Events dashboard to help you better understand the threat landscape and identify emerging patterns at a glance. What's new: * **Sankey Diagrams**: Trace the flow of attacks from country of origin to target country to identify which regions are being hit hardest and where the threat infrastructure resides. ![Sankey Diagram](https://developers.cloudflare.com/_astro/2026-02-19-sankey-diagram.VZMSmdZL_Z1dxq3E.webp) * **Dataset Distribution over time**: Instantly pivot your view to understand if a specific campaign is targeting your sector or if it is a broad-spectrum commodity attack. ![Events over time](https://developers.cloudflare.com/_astro/2026-02-19-events-over-time.CqD7VKqA_Z20JNi0.webp) * **Enhanced Filtering**: Use these visual tools to filter and drill down into specific attack vectors directly from the charts. Cloudforce One subscribers can explore these new views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events). ## 2026-02-12 **Enhanced Logo Matching for Brand Protection** We have significantly upgraded our Logo Matching capabilities within Brand Protection. While previously limited to approximately 100% matches, users can now detect a wider range of brand assets through a redesigned matching model and UI. #### What's new * **Configurable match thresholds**: Users can set a minimum match score (starting at 75%) when creating a logo query to capture subtle variations or high-quality impersonations. * **Visual match scores**: Allow users to see the exact percentage of the match directly in the results table, highlighted with color-coded lozenges to indicate severity. * **Direct logo previews**: Available in the Cloudflare dashboard — similar to string matches — to verify infringements at a glance. #### Key benefits * **Expose sophisticated impersonators** who use slightly altered logos to bypass basic detection filters. * **Faster triage** of the most relevant threats immediately using visual indicators, reducing the time spent manually reviewing matches. Ready to protect your visual identity? Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). ## 2026-02-03 **Threat actor identification with "also known as" aliases** Identifying threat actors can be challenging, because naming conventions often vary across the security industry. To simplify your research, **Cloudflare Threat Events** now include an **Also known as** field, providing a list of common aliases and industry-standard names for the groups we track. This new field is available in both the Cloudflare dashboard and via the API. In the dashboard, you can view these aliases by expanding the event details side panel (under the **Attacker** field) or by adding it as a column in your configurable table view. #### Key benefits * Easily map Cloudflare-tracked actors to the naming conventions used by other vendors without manual cross-referencing. * Quickly identify if a detected threat actor matches a group your team is already monitoring via other intelligence feeds. For more information on how to access this data, refer to the [Threat Events API documentation ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/). ## 2026-01-14 **URL Scanner now supports PDF report downloads** We have expanded the reporting capabilities of the Cloudflare URL Scanner. In addition to existing JSON and HAR exports, users can now generate and download a **PDF report** directly from the Cloudflare dashboard. This update streamlines how security analysts can share findings with stakeholders who may not have access to the Cloudflare dashboard or specialized tools to parse JSON and HAR files. **Key Benefits:** * Consolidate scan results, including screenshots, security signatures, and metadata, into a single, portable document * Easily share professional-grade summaries with non-technical stakeholders or legal teams for faster incident response **What’s new:** * **PDF Export Button:** A new download option is available in the URL Scanner results page within the Cloudflare dashboard * **Unified Documentation:** Access all scan details—from high-level summaries to specific security flags—in one offline-friendly file To get started with the URL Scanner and explore our reporting capabilities, visit the [URL Scanner API documentation ↗](https://developers.cloudflare.com/api/resources/url%5Fscanner/). --- ## 2026-01-12 **Cloudflare Threat Events now support STIX2 format** We are excited to announce that **Cloudflare Threat Events** now supports the **STIX2 (Structured Threat Information Expression)** format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence. By adopting this industry-standard format, you can now integrate Cloudflare's threat events data more effectively into your existing security ecosystem. #### Key benefits * Eliminate the need for custom parsers, as STIX2 allows for "out of the box" ingestion into major **Threat Intel Platforms (TIPs)**, **SIEMs**, and **SOAR** tools. * STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape. For technical details on how to query events using this format, please refer to our [Threat Events API Documentation ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/methods/list/). --- ## 2025-11-21 **Threat insights are now available in the Threat Events platform** The threat events platform now has threat insights available for some relevant parent events. Threat intelligence analyst users can access these insights for their threat hunting activity. Insights are also highlighted in the Cloudflare dashboard by a small `lightning icon` and the insights can refer to multiple, connected events, potentially part of the same attack or campaign and associated with the same threat actor. For more information, refer to [Analyze threat events](https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events). ## 2025-10-31 **Report logo misuse to Cloudflare directly from the Brand Protection dashboard** The Brand Protection logo query dashboard now allows you to use the **Report to Cloudflare** button to submit an Abuse report directly from the Brand Protection logo queries dashboard. While you could previously report new domains that were impersonating your brand before, now you can do the same for websites found to be using your logo without your permission. The abuse reports will be prefilled and you will only need to validate a few fields before you can click the submit button, after which our team process your request. Ready to start? Check out the [Brand Protection docs](https://developers.cloudflare.com/security-center/brand-protection/). ## 2025-10-27 **Cloudforce One RFI tokens are now visible in the dashboard** The Requests for Information (RFI) dashboard now shows users the number of tokens used by each submitted RFI to better understand usage of tokens and how they relate to each request submitted. ![Cloudforce One RFI tokens](https://developers.cloudflare.com/_astro/2025-10-24RFITokens.DPm1e8uC_2g3fE3.webp) What’s new: * Users can now see the number of tokens used for a submitted request for information. * Users can see the remaining tokens allocated to their account for the quarter. * Users can only select the Routine priority for the `Strategic Threat Research` request type. Cloudforce One subscribers can try it now in [Application Security > Threat Intelligence > Requests for Information ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/requests). ## 2025-10-17 **New Application Security reports (Closed Beta)** Cloudflare's new **Application Security report**, currently in Closed Beta, is now available in the dashboard. [ Go to **Security reports** ](https://dash.cloudflare.com/?to=/:account/security-center/reports) The reports are generated monthly and provide cyber security insights trends for all of the Enterprise zones in your Cloudflare account. The reports also include an industry benchmark, comparing your cyber security landscape to peers in your industry. ![Application Security report mock data](https://developers.cloudflare.com/_astro/2025-10-17-application-security-report-mock-data.Cz0-WuoX_15MbLt.webp) Learn more about the reports by referring to the [Security Reports documentation](https://developers.cloudflare.com/analytics/account-and-zone-analytics/app-security-reports/). Use the feedback survey link at the top of the page to help us improve the reports. ![Application Security report survey](https://developers.cloudflare.com/_astro/2025-10-17-report-feedback-survey.DPmUlWh2_Z1nYBN6.webp) ## 2025-08-15 **Save time with bulk query creation in Brand Protection** [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/) detects domains that may be impersonating your brand — from common misspellings (`cloudfalre.com`) to malicious concatenations (`cloudflare-okta.com`). Saved search queries run continuously and alert you when suspicious domains appear. You can now create and save multiple queries in a single step, streamlining setup and management. Available now via the [Brand Protection bulk query creation API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/subresources/queries/methods/bulk/). ## 2025-07-18 **New APIs for Brand Protection setup** The Brand Protection API is now available, allowing users to create new queries and delete existing ones, fetch matches and more! What you can do: * **create new string or logo query** * **delete string or logo queries** * **download matches for both logo and string queries** * **read matches for both logo and string queries** Ready to start? Check out the [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) in our documentation. ## 2025-05-08 **URL Scanner now supports geo-specific scanning** Enterprise customers can now choose the geographic location from which a URL scan is performed — either via [Security Center](https://developers.cloudflare.com/security-center/investigate/) in the Cloudflare dashboard or via the [URL Scanner API](https://developers.cloudflare.com/api/resources/url%5Fscanner/subresources/scans/methods/create/). This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats. **What’s new:** * Location Picker: Select a location for the scan via **Security Center → Investigate** in the dashboard or through the API. * Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks. * Default behavior: If no location is set, scans default to the user’s current geographic region. Learn more in the [Security Center documentation](https://developers.cloudflare.com/security-center/). ## 2025-02-03 * Security Center now has a role called Brand Protection. This role gives you access to the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform, where you can consume the Threat Intel API and URL scanner API calls. ## 2025-01-20 * On the URL scanner, customers who search for a report will now get a list of all reports related to that specific hostname. A hash is also available in the security report. By selecting the hash, the dashboard will list reports containing the same hash. ## 2024-09-23 * Customers can now export all matches from a saved query. Select your **Query name** \> select the three dots > **Export matches**. ## 2024-09-19 * Customers can now create a `security.txt` file file to provide the security research team with a standardized way to report vulnerabilities. ## 2024-07-22 * Customers can now archive multiple Security Insights at the same time. Go to **Security Center** \> **Security Insights** and select the insights to archive. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/changelog/","name":"Changelog"}}]} ```