SECOPS
Datadog WAF Anomaly to Cloudflare Rule Pull Request
When Datadog detects an anomalous blocked-request spike, it correlates the offending traffic in Cloudflare and opens a GitHub pull request adding the candidate firewall rule…
How it runs
The automated pipeline, trigger to output.
- TriggerDatadog anomaly monitor webhookDatadog
- ActionFetch matching requests from CloudflareCloudflare
- LogicExtract dominant attack signature
- ActionRender signature as Terraform ruleset blockOpenAI
- ActionOpen GitHub pull request with the ruleGitHub
- OutputNotify on-call of pending rule PRSlack
What it does
It converts a Datadog WAF anomaly alert into a version-controlled change. Instead of clicking rules into a dashboard, the candidate rule lands as a GitHub pull request against your Cloudflare-as-code repo, so every block has a diff, an author, and a reviewer.
When to use it
When your firewall is managed by Terraform or another IaC tool and you require all production rule changes to flow through code review rather than the Cloudflare UI.
How it works
- 1A Datadog monitor webhook fires on a blocked-request anomaly.
- 2Pull the matching request samples from Cloudflare for the alert window.
- 3Logic extracts the dominant signature (path, country, ASN, header pattern).
- 4An LLM step renders the signature as a Terraform `cloudflare_ruleset` block with a comment citing the evidence.
- 5Open a GitHub pull request adding the block, with the Datadog alert link in the body.
- 6Notify the on-call channel in Slack that a rule PR is awaiting review.
Set it up
What you configure once, before turning it on.
- 1Connect DatadogMetrics, traces, log search.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect OpenAIModels, embeddings, files.
- 4Connect GitHubRepos, issues, pull requests, actions.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.