agent hive
Join the Waitlist

SECOPS

WAF False-Positive Spike Detector with Auto-Rollback

Detects a sudden surge in WAF blocks against legitimate traffic right after a ruleset change, pages on-call, and rolls the offending rule back to log-only mode to stop…

CategorySecOps
Enginesim
Difficultyadvanced
Triggerwebhook
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerLogpush webhook delivers WAF block eventsHTTP webhook
  • LogicCompute per-rule block rate vs rolling baseline
  • LogicConfirm spike is legitimate traffic, not an attack
  • ActionPage secops on-call via PagerDutyPagerDutyPagerDuty
  • ActionFlip offending rule to log-only in CloudflareCloudflareCloudflare
  • OutputRecord auto-rollback in SlackSlack

What it does

Monitors the rate of Cloudflare WAF blocks and compares it against a rolling baseline. When blocks spike sharply on a specific managed rule shortly after a deploy — the classic signature of an over-aggressive rule hitting real users — it pages on-call and immediately flips that rule to log-only so traffic flows again while humans investigate.

When to use it

Use it as a safety net around WAF ruleset rollouts. When a new rule misfires at 2am, you want automatic containment and a page, not a morning full of angry tickets.

How it works

  1. 1A webhook from your Cloudflare logpush pipeline delivers near-real-time block events.
  2. 2Logic computes blocks-per-minute per rule and flags any rule exceeding its baseline by the configured multiplier.
  3. 3A branch confirms the spike correlates with recent legitimate-looking traffic, not an actual attack.
  4. 4PagerDuty fires an incident to the secops on-call rotation with the rule ID and sample requests.
  5. 5The workflow sets the offending rule to log-only in Cloudflare to halt blocking immediately.
  6. 6A Slack note records the auto-rollback and links the incident.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
  2. 2
    Connect PagerDutyIncidents, on-call, escalations.
  3. 3
    Connect SlackChannels, DMs, threads, mentions.
  4. 4
    Connect HTTP webhookTrigger any URL on agent actions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Compile a weekly WAF tuning review with trends to Confluence

Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.

Sensitive Dropbox Link Owner Remediation Loop

When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

PII Content Scan on New Dropbox External Share

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Browse all SecOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows