IT OPS

Cloudflare WAF Daily Drift Audit Report

Each morning compares the live Cloudflare WAF rulesets against the version-controlled config in Git and reports any out-of-band drift to Slack and a Notion audit log.

CategoryIT Ops

Enginesim

Difficultyintermediate

Triggerschedule

Steps6

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDaily morning schedule
ActionPull canonical rulesets from GitGitHub
ActionFetch live rulesets from CloudflareCloudflare
LogicDiff live vs committed and isolate drift
ActionPost drift summary to SlackSlack
OutputAppend run to Notion audit logNotion

What it does

This workflow catches WAF rules that were changed directly in the Cloudflare dashboard instead of through your reviewed Git pipeline. It diffs live rulesets against the committed source of truth and flags every unauthorized change.

When to use it

Use it when WAF config is supposed to be managed as code but operators sometimes hotfix in the dashboard. The daily report keeps drift visible and your audit log complete.

How it works

1A daily schedule triggers the audit each morning.
2The workflow pulls the canonical ruleset definitions from the Git repository.
3It fetches the currently live rulesets for each zone from Cloudflare.
4A logic step diffs live versus committed and isolates any drifted or undocumented rules.
5If drift is found, a formatted summary is posted to the security Slack channel.
6Every run, including clean ones, is appended as a dated entry to a Notion audit log.

Set it up

What you configure once, before turning it on.

1
Connect GitHubRepos, issues, pull requests, actions.
2
Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
3
Connect SlackChannels, DMs, threads, mentions.
4
Connect NotionPages, databases, comments.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More IT Ops workflows

Recurring Sensor Fault Root-Cause Investigator

On a schedule, an agent reviews recent Monday work orders and BigQuery telemetry to identify equipment with repeating faults, drafts a root-cause hypothesis with a recommended fix.

Daily Building Anomaly Digest to MS Teams

Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.

Agentic Inactive-Seat Reclamation Review

An agent investigates each idle SaaS seat by correlating SSO login gaps with HR status and ticket history, classifies it as reclaim, hold, or escalate, and drafts a reasoned…

Reconcile SSO logins against expense spend to find unmanaged tools

Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.

Approved-Seat Deprovision Execution

Fires when an IT approver confirms a seat for removal, then executes deprovisioning via the IdP API and logs the action to an audit table and a Linear cleanup ticket.

HVAC Anomaly Detection to Severity-Routed Work Orders

Ingests building HVAC telemetry via webhook, flags out-of-band temperature, pressure, or runtime readings.

Browse all IT Ops →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →