agent hive
Join the Waitlist

AI AGENTS

Cloudflare WAF false-positive tuner with human approval

An agent clusters recent Cloudflare WAF blocks that look like false positives, drafts a scoped skip rule for each cluster.

CategoryAI Agents
Enginepaperclip
Difficultyadvanced
Triggerschedule
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerSchedule fires every few hours
  • ActionFetch blocked WAF firewall eventsCloudflareCloudflare
  • LogicCluster blocks and score false-positive likelihood
  • ActionDraft scoped skip rule per benign cluster
  • OutputPost proposals to Slack for approvalSlack
  • ActionStage approved rule as disabled in CloudflareCloudflareCloudflare

What it does

Reads recent Cloudflare WAF firewall events, groups the blocks that share a managed-rule ID, path, and request shape, and judges which clusters most likely represent legitimate traffic caught by mistake. For each suspicious cluster it writes a narrowly scoped skip rule and routes it to your team for sign-off — nothing changes in Cloudflare without a human clicking approve.

When to use it

When a recently tightened WAF ruleset starts blocking real users or partner integrations and your inbox fills with "site is broken" reports. Run it on a schedule so noisy false positives surface as ready-to-review fixes instead of ad-hoc firefighting.

How it works

  1. 1A schedule fires the run every few hours.
  2. 2The agent pulls firewall events from the Cloudflare API and filters to blocked requests.
  3. 3It clusters blocks by rule ID, host, path pattern, and source ASN, then reasons about which clusters are benign (known integrations, internal tooling, malformed-but-harmless calls).
  4. 4For each candidate it drafts a tightly scoped skip expression with a plain-English rationale.
  5. 5It posts each proposal to Slack with Approve / Reject actions; only on approval does it stage the rule in Cloudflare as disabled, ready for an operator to enable.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
  2. 2
    Connect SlackChannels, DMs, threads, mentions.
  3. 3
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  4. 4
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  5. 5
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More AI Agents workflows

Stale Doc-PR Chaser for Runbook Gaps

On a daily schedule the agent finds runbook doc PRs that were opened from resolved incidents but never reviewed, summarizes what each one fixes.

On-Call Runbook Gap Closer: Resolved Sentry Issues to Doc PRs

An agent reads each newly resolved Sentry issue, compares the actual fix against your existing runbook, and opens a GitHub PR adding the missing remediation steps.

Datadog Bill Spike Attribution Agent

When a daily Datadog cost check detects a spend jump, an agent attributes the increase to the specific services and metric types driving it and posts a ranked breakdown to Slack.

Sentry-to-Confluence Runbook Updater

When a Sentry issue is resolved, the agent finds the matching Confluence runbook page and proposes an inline update with the verified fix.

Custom Metrics Cardinality Spike Pager

A webhook from a Datadog monitor fires when custom-metric cardinality jumps; an agent pinpoints the offending metric and tag, estimates the added cost.

Resolved Incident to Public Troubleshooting Doc

For customer-facing errors resolved in Sentry, the agent drafts a sanitized troubleshooting entry and opens a PR to your ReadMe documentation.

Browse all AI Agents

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows