Using unknown hosting providers can indicate unaccounted-for assets or shadow IT. Monitoring these can be an effective way of finding issues that should be addressed. Be aware that subdomains that CNAME to an app not hosted by you, such as support pages or documentation, will likely show up as hosted on different platforms than expected. We recommend that you check the breaches your policy generates after creating it and then adjust the policy accordingly to ensure that it doesn't trigger false positives.
Finding hosting platforms
Most security professionals will know which hosting platforms are mandated to be used in an organization. However, only smaller cloud-native organizations rely on only one primary hosting platform. Most organizations depend on multiple hosting platforms. That can happen through M&As, natively when some department decides that they prefer a different cloud solution than the one mandated by the organization, or for organizations that are in a transition stage between two different solutions.
Monitor deviations from the accepted list of providers
If your organization is supposed to have all assets (or even certain subscopes) behind Cloudflare, a policy can be set up using the Providers column together with the operator do not contain all of or the operator do not contain any of since these do the same when there is only one item the list of values. Subscopes can then be used using any of the other columns, such as the Monitored domain name, country, etc. If a domain in scope is found to use something other than Cloudflare, this will create a policy breach to be investigated and followed up.
If multiple providers are allowed for use in your organization then these can be monitored using the do not only contain operator and listing all providers accepted. If a domain is found to use anything other than those providers a policy breach will be created. This is akin to providing an allowlist of which providers are okay to use across the attack surface.
For tracking a set of providers that you want to keep an extra eye out for, simply use the contain any of operator and then listing the providers to be monitored. Every time these providers are used by a domain, a breach will be created. This is similar to creating a disallow list.
Finding multi-cloud domains
A not too uncommon misconfiguration is to set up domains to point to IP addresses hosted on different platforms. These can be found by creating a policy with a filter looking for domains with more than one active provider. These indicate some multi-cloud setup that are worth investigating.