Knogin
[Developers]

Cloudflare Threat Intelligence Feed

An analyst investigating a spearphishing campaign extracts three domains from email headers: all registered in the past week, all resolving to the same IP range, and all using a slightly misspelled version of a legitimat

Back to All Modules
Category: IntelligenceLast Updated: Feb 5, 2026
intelligencegeospatial

Overview#

An analyst investigating a spearphishing campaign extracts three domains from email headers: all registered in the past week, all resolving to the same IP range, and all using a slightly misspelled version of a legitimate financial institution's domain name. Running the domains through the Cloudflare Threat Intelligence feed returns risk scores of 8.9, 9.1, and 8.7 out of 10, category classification as phishing infrastructure, passive DNS history showing four previous domains on the same IP also flagged as malicious, and registration dates confirming the domains were created two days before the campaign began. The analyst has gone from three suspicious strings to a mapped phishing kit infrastructure in under a minute.

The Cloudflare Threat Intelligence integration provides threat enrichment for cyber investigations and threat analysis. Domain intelligence, IP risk scoring, passive DNS history, URL scanning, and WHOIS data enable analysts to quickly assess the risk profile of indicators encountered during investigations, with access to Cloudflare's global threat intelligence network covering traffic across a significant portion of the internet.

Open Standards#

  • MITRE ATT&CK: Threat actor attribution scores observed Tactics, Techniques, and Procedures (TTPs) directly against MITRE ATT&CK technique identifiers stored in a mitre_attack_techniques table, enabling structured TTP-overlap matching during investigations.
  • DNS (RFC 1034 / RFC 1035): Passive DNS history retrieves historical A, AAAA, MX, and other resource record types for domains and IP addresses, and DNS-over-HTTPS queries are used during IOC enrichment workflows.
  • WHOIS (RFC 3912): Domain registration lookups return registrar, creation date, expiry date, nameservers, and raw WHOIS data to support infrastructure-mapping and threat actor profiling.
  • CVE / CVSS (MITRE / FIRST): Vulnerability indicators are modelled with cve_id and a CVSS 0-10 score plus vector string, allowing threat intelligence enrichment to correlate exploited vulnerabilities with observed threat activity.
  • IPv4 / IPv6 (RFC 791 / RFC 8200): IP intelligence queries explicitly branch on IP version, returning ASN, geolocation, and risk categorisation for both protocol families, including Tor exit node, VPN, and proxy classification.
  • MISP Core Format 2.4: Enriched indicators and IOCs are shared with and received from MISP instances for federated threat intelligence exchange, as stated in the module integration documentation.
  • GraphQL (June 2018 specification): All enrichment queries and mutations (domain intel, IP intel, passive DNS, WHOIS, URL scanning, batch IOC enrichment) are exposed exclusively through a typed GraphQL schema requiring authenticated sessions.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

Domain Intelligence#

Risk scoring on a 0-10 scale for assessed domains with category classification, resolution data, and popularity ranking. Identify malicious, phishing, and command-and-control domains during investigations. Category classifications include malware distribution, phishing, botnet C2, spam, and newly registered domains that warrant closer scrutiny.

IP Risk Scoring#

Assess IP address reputation with risk categorisation, geolocation data, ASN information, and historical threat activity. Identify IP addresses associated with known threat actors, botnets, or malicious infrastructure within the context of an active investigation.

Passive DNS History#

Historical DNS resolution data showing how domains and IP addresses have been associated over time. Trace infrastructure changes, identify domain parking patterns, and discover related malicious domains that share hosting or registration characteristics with a known malicious indicator.

URL Scanning#

On-demand and automated scanning of URLs for malicious content, phishing indicators, and malware delivery. Risk assessment includes detailed scan results covering page content analysis and redirect chain examination.

WHOIS Data#

Registration information for domains including registrant details, registration dates, nameservers, and registrar information. Historical WHOIS data supports investigation of domain ownership changes over time and identification of registration patterns associated with specific threat actors.

Threat Categorisation#

Automated classification of observed indicators into threat categories including malware distribution, phishing, command-and-control, spam, and other threat types for prioritized investigation response.

Use Cases#

  • Cyber Investigation Enrichment: Automatically enrich domains, IPs, and URLs encountered during investigations with threat intelligence scoring and categorisation to accelerate analyst triage.
  • Phishing Investigation: Assess suspicious URLs and domains for phishing indicators, registration anomalies, and associations with known threat infrastructure.
  • Infrastructure Mapping: Use passive DNS and WHOIS data to map threat actor infrastructure and identify related malicious domains and IP addresses that extend the investigative picture.
  • Proactive Threat Hunting: Monitor domains and IP addresses for changes in threat categorisation that may indicate compromise or emerging threats relevant to protected organisations.

Integration#

Enrichment data integrates with investigation workflows, alert triage, and threat analysis platforms. API access enables automated enrichment of indicators encountered across the platform. Connects with MISP for indicator sharing, TheHive for case enrichment, and IP Address Intelligence for comprehensive network infrastructure analysis.

Ready to Build?

Get started with our APIs or contact our integration team for support.