SECOPS

Daily WAF Anomaly Digest with BigQuery Trend Analysis

Each morning this workflow rolls up the prior day's Cloudflare WAF block spikes, joins them against Sentry error trends in BigQuery.

CategorySecOps

Enginesim

Difficultyintermediate

Triggerschedule

Steps6

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDaily schedule starts the digest run
ActionExport prior-day Cloudflare WAF block eventsCloudflare
ActionLoad to BigQuery and join with Sentry error countsBigQuery
LogicScore and rank rules by false-positive-to-threat ratio
ActionRender ranked digest of rules needing tuningSentry
OutputEmail the digest to the security listGmail

What it does

Produces a once-a-day rollup of WAF behavior. It loads the prior day's Cloudflare block events into BigQuery, joins them against stored Sentry error trends, and ranks each rule by how much of its blocking looks like noise versus genuine threats. The output is an emailed digest telling you which rules to tune, which are working, and where attacks concentrated.

When to use it

Use it for steady-state hygiene rather than real-time paging. It gives security and platform teams a daily, data-backed view of which WAF rules are over-blocking and trending so tuning is prioritized by impact.

How it works

1A daily schedule kicks off the digest run.
2An action exports the prior day's Cloudflare WAF block events.
3An action loads those events into BigQuery and joins them to stored Sentry error counts by path and time.
4A logic step scores each rule on its false-positive-to-threat ratio and ranks them.
5An action renders a ranked digest of rules needing attention.
6An action emails the digest to the security distribution list.

Set it up

What you configure once, before turning it on.

1
Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
2
Connect BigQueryDatasets, queries, schemas.
3
Connect SentryErrors, performance, releases.
4
Connect GmailRead, draft, send, label.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Compile a weekly WAF tuning review with trends to Confluence

Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.

Sensitive Dropbox Link Owner Remediation Loop

When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

PII Content Scan on New Dropbox External Share

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Software

SaaS Operator (Pre-PMF)

Talk to users, ship features, kill what doesn't land.

Software

AI Tools Startup

Ship an AI tool, distribute on every channel, watch the unit economics.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →