SECOPS

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

CategorySecOps

Enginesim

Difficultyintermediate

Triggerevent

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDatadog WAF anomaly monitor firesDatadog
LogicParse alert window and affected zone
ActionFetch matching Cloudflare firewall eventsCloudflare
LogicRank top rules, ASNs, and sample URIs
OutputReply in Slack alert thread with evidenceSlack

What it does

It listens for a Datadog anomaly monitor on Cloudflare WAF block rate. The moment the monitor trips, it reaches into Cloudflare for the firewall events covering the alert window, assembles an evidence pack (top rules, top ASNs, sample blocked URIs, country mix), and posts that enrichment straight to the Slack thread the alert opened — turning a bare "block rate is high" ping into an actionable picture.

When to use it

Use it when Datadog already owns your alerting and you want every WAF anomaly to arrive pre-investigated rather than as a number an analyst has to chase down across two consoles.

How it works

1A Datadog monitor webhook triggers on the WAF block-rate anomaly.
2The flow parses the alert's time window and affected zone.
3Cloudflare returns firewall events for that window.
4Logic ranks the offending rules and ASNs and pulls representative blocked requests.
5Slack receives the evidence pack as a reply tied to the originating alert.

Set it up

What you configure once, before turning it on.

1
Connect DatadogMetrics, traces, log search.
2
Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
3
Connect SlackChannels, DMs, threads, mentions.
4
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
5
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
6
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →