IT OPS
Cloudflare WAF Block-Spike Auto Rollback
Watches Axiom for a sudden surge in WAF-blocked legitimate traffic after a rule change and automatically rolls the ruleset back to its last known-good version, then pages on-call.
How it runs
The automated pipeline, trigger to output.
- TriggerRun every 2 minutes post-deploy
- ActionQuery Axiom for WAF block rate vs baselineAxiom
- LogicDetect block spike on recent deploy
- ActionRoll Cloudflare ruleset to last known-good versionCloudflare
- ActionPage on-call via PagerDutyPagerDuty
- OutputPost rollback summary to incident channelSlack
What it does
This workflow detects when a freshly deployed WAF rule starts blocking far more requests than baseline — a classic sign of a false-positive rule — and reverts to the previous ruleset version automatically before customers feel sustained pain.
When to use it
Run it whenever you ship WAF rules frequently and a bad expression could silently block real users. It turns a multi-minute incident into an automated revert with an audit note.
How it works
- 1A schedule fires every two minutes after any recent ruleset deploy.
- 2An Axiom query pulls WAF block counts for the affected zone over the last interval versus a rolling baseline.
- 3A logic step checks whether blocked-request rate exceeds the spike threshold and the deploy is recent.
- 4If tripped, the workflow calls Cloudflare to repoint the ruleset to the last known-good version ID.
- 5PagerDuty is triggered with the zone, rule, and block metrics for on-call awareness.
- 6A summary of the rollback and the trigger metrics is posted to the incident Slack channel.
Set it up
What you configure once, before turning it on.
- 1Connect AxiomLog streams, queries, dashboards.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More IT Ops workflows
Daily Building Anomaly Digest to MS Teams
Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.
Indoor Air Quality Breach to Tenant Notice and Work Order
Listens for CO2, VOC, or humidity sensor alerts via webhook, and when a zone exceeds occupant-safety limits it emails affected tenants, opens a Monday remediation task.
Self-Service Reclaim Email for Idle Users
Detects users idle in a SaaS app past the threshold and emails each one a keep-or-release link; unanswered seats after the deadline are auto-flagged for removal.
Outlook Room Conflict Resolver with Approval Gate in Teams
When an Outlook room clashes, proposes a rebooking and asks the bumped meeting's organizer to approve the move in Microsoft Teams before any change is made.
Outlook Room Double-Booking Resolver with Auto-Rebook
Detects when two meetings claim the same Outlook room resource and automatically relocates the lower-priority meeting to a comparable free room.
Monthly Wasted-License Cost Report
Aggregates inactive-seat data across all tracked SaaS apps each month, computes total reclaimable spend, and delivers a ranked cost report to leadership in Notion and Slack.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.