[Security Center] Indicator Feed API procedures (#16902)

Author: maxvp

src/content/docs/security-center/indicator-feeds.mdx

@@ -28,14 +28,104 @@ If your organization is interested in becoming a provider or a subscriber, conta
 
 ### Create a Custom Indicator Feed
 
-Providers can create and manage a Custom Indicator Feed with the [Indicator API endpoints](/api/operations/custom-indicator-feeds-get-indicator-feeds):
+Providers can create and manage a Custom Indicator Feed with the [Custom Indicator Feeds API endpoints](/api/operations/custom-indicator-feeds-get-indicator-feeds):
+
+1. Contact your account team to configure your account as an indicator feed provider.
+2. Create a feed with the [Create new indicator feed endpoint](/api/operations/custom-indicator-feeds-create-indicator-feeds). Make note of the `feed_id` generated for your feed. For example:
+
+   ```bash title="Create new indicator feed"
+   curl "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds" \
+   	--header 'Content-Type: application/json' \
+   	--header 'X-Auth-Email: <EMAIL>' \
+   	--header 'X-Auth-Key: <API_KEY>' \
+   	--data '{
+   	"description": "Custom indicator feed to detect threats",
+   	"name": "threat_indicator_feed"
+   }'
+   ```
+
+   ```json output {3}
+   {
+   	"result": {
+   		"id": 10,
+   		"name": "threat_indicator_feed",
+   		"description": "Custom indicator feed to detect threats",
+   		"created_on": "2024-09-17T21:16:09.412Z",
+   		"modified_on": "2024-09-17T21:16:09.412Z"
+   	},
+   	"success": true,
+   	"errors": [],
+   	"messages": []
+   }
+   ```
+
+3. Upload data to the feed with the [Update indicator feed data endpoint](/api/operations/custom-indicator-feeds-update-indicator-feed-data). Uploaded indicator data must be in a [`.stix2`](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file.
+
+   ```bash title="Update indicator feed data"
+   curl --request PUT \
+   	"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \
+   	--header 'Content-Type: multipart/form-data' \
+   	--header 'X-Auth-Email: <EMAIL>' \
+   	--header 'X-Auth-Key: <API_KEY>' \
+   	--form 'source=@/path/to/file'
+   ```
+
+   ```json output
+   {
+   	"result": {
+   		"file_id": 1,
+   		"filename": "snapshot_file.unified",
+   		"status": "unified"
+   	},
+   	"errors": [],
+   	"messages": [],
+   	"success": true
+   }
+   ```
 
-1. Create a feed with the [Create new indicator feed endpoint](/api/operations/custom-indicator-feeds-create-indicator-feeds). Feeds are lists of indicators.
-2. Upload data to the feed with the [Update indicator feed data endpoint](/api/operations/custom-indicator-feeds-update-indicator-feed-data). Uploaded indicator data must be in a [`.stix2`](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file.
    :::note
    Indicator feeds use a snapshot system. To update feeds with new data, providers must upload a file containing all previous and new indicators.
    :::
-3. Grant access to subscribers with the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission). Any administrator of the account that owns the feed must add subscribers' `account_tag`s to the feed's allowed subscribers list.
+
+4. (Optional) Verify the status of your feed upload with the [Get indicator feed data endpoint](/api/operations/custom-indicator-feeds-get-indicator-feed-data). For example:
+
+   ```bash title="Get indicator feed data"
+   curl --request GET \
+   	"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/data" \
+   	--header 'Content-Type: application/json' \
+   	--header 'X-Auth-Email: <EMAIL>' \
+   	--header 'X-Auth-Key: <API_KEY>'
+   ```
+
+   ```json output {8}
+   {
+   	"result": {
+   		"id": 10,
+   		"name": "threat_indicator_feed",
+   		"description": "Custom indicator feed to detect threats",
+   		"created_on": "2023-08-01T18:00:26.65715Z",
+   		"modified_on": "2023-08-01T18:00:26.65715Z",
+   		"latest_upload_status": "Complete"
+   	},
+   	"success": true,
+   	"errors": [],
+   	"messages": []
+   }
+   ```
+
+5. Grant access to subscribers with the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission). You can add subscribers to the feed's allowed subscribers list using their [account IDs](/fundamentals/setup/find-account-and-zone-ids/). For example:
+
+   ```bash title="Update indicator feed data"
+   curl --request PUT \
+   	"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/intel/indicator-feeds/<FEED_ID>/snapshot" \
+   	--header 'Content-Type: multipart/form-data' \
+   	--header 'X-Auth-Email: <EMAIL>' \
+   	--header 'X-Auth-Key: <API_KEY>' \
+   	--data '{
+   	"account_tag": "823f45f16fd2f7e21e1e054aga4d2859",
+   	"feed_id": 10
+   }'
+   ```
 
 ### Use a feed in Gateway
 

src/content/partials/security-center/indicator-feeds-overview.mdx

@@ -8,4 +8,4 @@ Cloudflare threat intelligence data consists of a data exchange between provider
 
 A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.
 
-Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Indicator Feeds permissions endpoint](/api/operations/custom-indicator-feeds-add-permission).
+Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Grant permission to indicator feed endpoint](/api/operations/custom-indicator-feeds-add-permission).