SECOPS
Cloudflare WAF burst to Honeycomb trace pivot
When Cloudflare WAF block events spike past a threshold in a short window, pull the offending request paths and open a scoped Honeycomb trace query.
How it runs
The automated pipeline, trigger to output.
- TriggerCloudflare WAF firewall event receivedCloudflare
- LogicCount blocks in rolling window; gate on burst threshold
- ActionRank top hostnames, paths, and ASNs via Cloudflare GraphQLCloudflare
- ActionBuild scoped Honeycomb trace query for the same windowHoneycomb
- OutputPost burst summary and trace link to DiscordDiscord
What it does
Watches Cloudflare WAF firewall events and reacts when blocked requests cluster into a burst (for example, 50+ blocks in five minutes). It correlates the burst to your backend by extracting the targeted hostnames and paths, builds a matching Honeycomb trace query for that same window, and hands the on-call engineer a single Discord message with the attack shape and a clickable trace link.
When to use it
Use it when WAF noise is high and you need the signal that actually reached origin. It turns "WAF is blocking a lot right now" into "here are the three paths under attack and here is the trace view of what slipped through."
How it works
- 1Cloudflare emits WAF firewall events; the workflow buffers them per window.
- 2A logic step counts blocks in the rolling window and only continues past the burst threshold.
- 3An action step queries the Cloudflare GraphQL analytics API to rank the top hostnames, paths, and source ASNs in the burst.
- 4An action step builds a Honeycomb trace query filtered to those paths over the same timestamp range and returns a permalink.
- 5The output step posts the burst summary plus the Honeycomb link to the secops Discord channel.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect HoneycombDistributed traces and queries.
- 3Connect DiscordCommunity channels + voice + bots.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.