SECOPS
Session-Token Replay Detector with Auto-Block
Monitors Axiom for the same session token or cookie appearing from multiple IPs or device fingerprints, confirms it's a likely session hijack.
How it runs
The automated pipeline, trigger to output.
- TriggerAxiom streams active session eventsAxiom
- LogicFlag token seen from divergent IPs/fingerprints
- ActionIdentify attacker IPs vs legitimate origin
- ActionBlock or challenge attacker IPs at CloudflareCloudflare
- ActionFile evidence packet in LinearLinear
- OutputPost containment action to SlackSlack
What it does
Catches stolen-session attacks where a valid token is replayed from an attacker's machine. When one session ID surfaces from incompatible IPs or fingerprints simultaneously, the flow treats it as hijack, blocks the bad source at the edge, and documents the event.
When to use it
Use when session theft (via malware or proxy phishing) is in your threat model and you want containment in seconds, not after manual review. Requires session/token IDs in your Axiom auth events and a Cloudflare zone in front of the app.
How it works
- 1Axiom streams active session events as they arrive.
- 2The flow indexes events by session token and tracks the set of IPs and device fingerprints per token.
- 3A logic step flags any token seen concurrently from divergent sources, filtering known cases like mobile network handoff.
- 4On a confirmed replay it identifies the attacker-side IPs versus the legitimate origin.
- 5It pushes a block (or managed challenge) for those IPs via Cloudflare and notes the legitimate session to preserve.
- 6It opens a Linear issue with the full evidence packet and posts the containment action to Slack.
Set it up
What you configure once, before turning it on.
- 1Connect AxiomLog streams, queries, dashboards.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect LinearIssues, projects, cycles, triage.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.