[Gateway] Global indicator feeds (#16514)

Author: maxvp

public/_redirects

@@ -913,6 +913,10 @@
 /rules/url-forwarding/single-redirects/examples/ /rules/url-forwarding/examples/ 301
 /rules/url-forwarding/dynamic-redirects/parameters/ /rules/url-forwarding/single-redirects/settings/ 301
 
+# security center
+/security-center/indicator-feeds/getting-started/ /security-center/indicator-feeds/ 301
+/security-center/indicator-feeds/get-started/ /security-center/indicator-feeds/ 301
+
 # spectrum
 /spectrum/getting-started/ /spectrum/get-started/ 301
 /spectrum/getting-started/byoip/ /spectrum/about/byoip/ 301

src/assets/images/security-center/gateway-indicator-feed.png

@@ -5,15 +5,19 @@ productLink: "/cloudflare-one/policies/gateway/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
-- publish_date: '2024-07-14'
-  title: Gateway DNS filter non-authenticated queries
-  description: |-
-    Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter  traffic based on source networks and/or authenticate user identity tokens.
-- publish_date: '2024-06-25'
-  title: Gateway DNS policy setting to ignore CNAME category matches
-  description: |-
-    Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/policies/gateway/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) in the API.
-- publish_date: '2024-04-05'
-  title: Gateway file type control improvements
-  description: |-
-    Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to control uploads and downloads.
+  - publish_date: "2024-07-30"
+    title: UK NCSC indicator feed publicly available in Gateway
+    description: |-
+      Gateway users on any plan can now use the [PDNS threat intelligence feed](/security-center/indicator-feeds/#publicly-available-feeds) provided by the UK National Cyber Security Centre (NCSC) in DNS policies.
+  - publish_date: "2024-07-14"
+    title: Gateway DNS filter non-authenticated queries
+    description: |-
+      Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter  traffic based on source networks and/or authenticate user identity tokens.
+  - publish_date: "2024-06-25"
+    title: Gateway DNS policy setting to ignore CNAME category matches
+    description: |-
+      Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/policies/gateway/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) in the API.
+  - publish_date: "2024-04-05"
+    title: Gateway file type control improvements
+    description: |-
+      Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to control uploads and downloads.

src/content/changelogs/gateway.yaml

@@ -0,0 +1,55 @@
+---
+pcx_content_type: concept
+title: Custom Indicator Feeds
+sidebar:
+  order: 8
+---
+
+import { Render } from "~/components";
+
+Cloudflare's threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the [HTTP/2 Rapid Reset attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/). However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users.
+
+With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations.
+
+## Publicly available feeds
+
+Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship.
+
+| Name                                                                                                                                      | Description                                                                                                                                                                         | Availability                              |
+| ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
+| [Treasury Early Indicator Feed](https://www.cloudflare.com/press-releases/2024/us-department-of-treasury-pnnl-finserv-threat-intel-feed/) | Threat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team. | Approved financial services organizations |
+| [UK NCSC Public Threat Indicators](https://www.ncsc.gov.uk/information/pdns)                                                              | Recursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware.                                                                          | All users                                 |
+
+## Get started
+
+<Render file="indicator-feeds-overview" />
+
+If your organization is interested in becoming a provider or a subscriber, contact your account team.
+
+### Create a Custom Indicator Feed
+
+Providers can create and manage a Custom Indicator Feed with the [Indicator API endpoints](/api/operations/custom-indicator-feeds-get-indicator-feeds):
+
+1. Create a feed with the [Create new indicator feed endpoint](/api/operations/custom-indicator-feeds-create-indicator-feeds). Feeds are lists of indicators.
+2. Upload data to the feed with the [Update indicator feed data endpoint](/api/operations/custom-indicator-feeds-update-indicator-feed-data). Uploaded indicator data must be in a [`.stix2`](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file.
+   :::note
+   Indicator feeds use a snapshot system. To update feeds with new data, providers must upload a file containing all previous and new indicators.
+   :::
+3. Grant access to subscribers with the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission). Any administrator of the account that owns the feed must add subscribers' `account_tag`s to the feed's allowed subscribers list.
+
+### Use a feed in Gateway
+
+Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/#indicator-feeds).
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall Policies**. Select **DNS**.
+2. To create a new DNS policy, select **Add a policy**.
+3. Name your policy.
+4. In **Traffic**, add a condition with the **Indicator Feeds** selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in **Value**. For example, you can block sites that appear in a feed:
+
+   | Selector        | Operator | Value               | Action |
+   | --------------- | -------- | ------------------- | ------ |
+   | Indicator Feeds | in       | _Threat Intel Feed_ | Block  |
+
+5. Select **Create policy**.
+
+For more information on creating Gateway policies, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).

src/content/docs/security-center/indicator-feeds.mdx

@@ -1,12 +1,13 @@
 ---
 inputParameters: API_param
-
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
+
+Use this selector to match against custom indicator feeds.
 
-Use this selector to match against custom indicator feeds. To enable this selector, a designated third-party vendor must assign a custom indicator feed to your account.
+You can use a [publicly available indicator feed](/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](/security-center/indicator-feeds/).
 
-| UI name         | API example         | Evaluation phase      |
-| --------------- | ------------------- | --------------------- |
+| UI name         | API example                             | Evaluation phase      |
+| --------------- | --------------------------------------- | --------------------- |
 | Indicator Feeds | <code>{props.one}.indicator_feed</code> | Before DNS resolution |

src/content/docs/security-center/indicator-feeds/getting-started.mdx

@@ -1,11 +1,10 @@
 ---
 {}
-
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
 
-In the simplest terms, there are providers and subscribers of our threat intelligence data.
+Cloudflare threat intelligence data consists of a data exchange between providers and subscribers.
 
 A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.