[WAF] Add threat intelligence detection docs

[hsaxenaCF]

Summary

New documentation section at /waf/detections/threat-intelligence/ for the threat intelligence WAF detection (SHIP-11629). Four pages:

• Overview (index.mdx) — what the detection does, data freshness (seven-day window), availability (Cloudforce One subscription)
• Get started (get-started.mdx) — create a rule in Log mode, review matches in Security Analytics, switch to Block/Challenge, optional Saved Views export
• Available fields (fields.mdx) — five cf.intel.ip.* fields, case sensitivity, union/flattened matching behavior, analytics gap (rule fields vs logged fields)
• Example rules (example-rules.mdx) — six recipes covering Log, Block, Challenge, rate limiting, and combining with attack score

Documentation checklist

• Is there a changelog entry? Separate PR: see the companion changelog PR.
• The change adheres to the documentation style guide.
• If a larger change — an issue has been opened. N/A — new section for a new feature.
• Files which have changed name or location have redirects. N/A — all new files.

[cloudflare-docs-bot]

Review

✅ No style-guide issues found in commit 0349b6a.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command	Description
/review	Runs a review now. Incremental if a prior review exists, full if not.
/full-review	Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/waf/	@pedrosousa, @cloudflare/firewall, @cloudflare/appsec-reviewers, @elithrar, @cloudflare/product-owners, @hsaxenaCF

[ask-bonk]

Reviewed. Applied product:waf, content:new, and triage labels. One high-severity issue and one minor style item need attention.

[ask-bonk]

Reviewed PR #31205 and posted two inline comments.

Labels applied: product:waf, content:new, triage

Issues found:

• HIGH — get-started.mdx line 53: The curl example uses PUT /zones/{zone_id}/rulesets/phases/http_request_firewall_custom/entrypoint, which replaces all existing custom rules with a single rule. This is risky for a get-started guide. I recommended linking to Create a custom rule via API instead, which is consistent with other WAF detection get-started pages.

• LOW — index.mdx line 15: Uses time-bound wording ("Today,") which the style guide advises avoiding. Posted a suggestion to remove it.

The frontmatter, component imports, link formatting, and structure are otherwise consistent with existing WAF detection docs.

github run

[github-actions]

Preview URL: https://0349b6a0.preview.developers.cloudflare.com
Preview Branch URL: https://hsaxena-threat-intel-waf-docs.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/waf/detections/threat-intelligence/get-started/	https://hsaxena-threat-intel-waf-docs.preview.developers.cloudflare.com/waf/detections/threat-intelligence/get-started/
https://developers.cloudflare.com/waf/detections/threat-intelligence/example-rules/	https://hsaxena-threat-intel-waf-docs.preview.developers.cloudflare.com/waf/detections/threat-intelligence/example-rules/
https://developers.cloudflare.com/waf/detections/threat-intelligence/fields/	https://hsaxena-threat-intel-waf-docs.preview.developers.cloudflare.com/waf/detections/threat-intelligence/fields/
https://developers.cloudflare.com/waf/detections/threat-intelligence/	https://hsaxena-threat-intel-waf-docs.preview.developers.cloudflare.com/waf/detections/threat-intelligence/