Generate WAF rules from Threat Events saved views

Cloudforce One users can now turn Threat Events indicators into active defense. With this update, users can instantly generate a WAF rule that matches the dynamic list of IP addresses returned by any of their Saved Views.

Why this matters

Threat intelligence is most effective when it is immediately actionable. Previously, blocking threat actors required manually extracting indicators from threat events and copying them into your firewall rules. This new integration bridges the gap between threat discovery and threat mitigation:

• When you identify an active threat pattern - such as an ongoing campaign targeting a specific industry, or using a known indicator type - you can pivot from investigation to mitigation in a single click.
• Instead of writing complex, static IP rules, this functionality allows you to leverage the specific filtering logic you have already defined and saved within your Threat Events ecosystem.
• Automating the generation of the WAF rule expression from your threat views eliminates manual copying errors, ensuring that the right malicious infrastructure is blocked instantly.

How to use it

You can implement these rules through both the dashboard UI and via the API / Terraform.

Go to Cloudflare Dashboard > Application Security > Threat Intelligence > Manage Views, select your desired view, and select Create WAF Rule.

This will automatically pre-populate the WAF rule builder with the matching threat event IP indicators.

You can also automate this workflow by utilizing the WAF Rule Builder API alongside your Threat Events saved views endpoints.