AI AGENTS
WAF block-spike responder from Datadog alert
When Datadog detects a sudden spike in Cloudflare WAF blocks, an agent inspects the offending rule and traffic, decides whether it's an attack or a false-positive surge.
How it runs
The automated pipeline, trigger to output.
- TriggerDatadog WAF block-rate monitor firesDatadog
- ActionFetch firewall events for the alert windowCloudflare
- LogicClassify attack vs false-positive surge
- OutputPage security channel on attackSlack
- OutputPost draft skip rule on false-positive surgeSlack
What it does
Triggers off a Datadog monitor that watches WAF block rate. On a spike it correlates the alert with live Cloudflare firewall events to determine root cause, then branches: real attacks page the security channel with context, while false-positive surges produce a draft skip rule for review.
When to use it
When deploys or marketing campaigns occasionally trip your WAF and you need fast triage that tells real threats apart from self-inflicted blocks — without a human staring at dashboards at 2am.
How it works
- 1A Datadog WAF block-rate monitor crosses threshold and fires a webhook into the workflow.
- 2The agent queries Cloudflare for the firewall events covering the alert window.
- 3It analyzes attacker diversity, payload signatures, and whether traffic maps to known-good clients or a single hostile source.
- 4A branch decides: attack vs. false-positive surge.
- 5If it's an attack, it posts an enriched incident summary to Slack with the top source IPs and rule IDs.
- 6If it's a false-positive surge, it drafts a temporary scoped skip rule and posts it to Slack for an operator to approve and stage.
Set it up
What you configure once, before turning it on.
- 1Connect DatadogMetrics, traces, log search.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More AI Agents workflows
Custom Metrics Cardinality Spike Pager
A webhook from a Datadog monitor fires when custom-metric cardinality jumps; an agent pinpoints the offending metric and tag, estimates the added cost.
Sentry-to-Confluence Runbook Updater
When a Sentry issue is resolved, the agent finds the matching Confluence runbook page and proposes an inline update with the verified fix.
Stale Doc-PR Chaser for Runbook Gaps
On a daily schedule the agent finds runbook doc PRs that were opened from resolved incidents but never reviewed, summarizes what each one fixes.
Resolved Incident to Public Troubleshooting Doc
For customer-facing errors resolved in Sentry, the agent drafts a sanitized troubleshooting entry and opens a PR to your ReadMe documentation.
On-Call Runbook Gap Closer: Resolved Sentry Issues to Doc PRs
An agent reads each newly resolved Sentry issue, compares the actual fix against your existing runbook, and opens a GitHub PR adding the missing remediation steps.
Weekly On-Call Doc-Gap Digest
Each week the agent reviews every Sentry issue resolved in the last 7 days, ranks the ones whose runbook coverage is missing or thin.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.