SECOPS

Quarantine Dropbox links accessed from unexpected geographies

Watches Cloudflare access logs for hits on public Dropbox share links coming from countries outside your expected list.

CategorySecOps

Enginesim

Difficultyintermediate

Triggerevent

Steps6

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerNew Cloudflare access log batch receivedCloudflare
ActionEnrich requests with share-link ID and geo from AxiomAxiom
LogicKeep only hits from outside the allowed-geo list
ActionRevoke public access on the flagged Dropbox linkDropbox
ActionOpen GitLab investigation issue with IPs, geos, timestampsGitLab
OutputNotify SecOps in Slack with link ID and action takenSlack

What it does

Correlates Cloudflare edge access logs against your inventory of public Dropbox share links. When a share link is hit from a country that isn't on your allowed-geo list, the workflow immediately disables public access on that link and opens a tracked security investigation.

When to use it

Run this when you publish Dropbox links for partners or customers in known regions and want automatic containment the moment a link surfaces from somewhere unexpected — a strong early signal of a leaked or scraped URL.

How it works

1A new Cloudflare access log batch arrives and triggers the run.
2The flow queries Axiom to enrich each request with the share-link ID and the resolving geo.
3A logic step keeps only requests whose country is outside the allowed list.
4For each flagged link, Dropbox revokes the public share so the URL stops resolving.
5A GitLab issue is opened capturing the link, source IPs, geos, and timestamps.
6The team is notified in Slack with the link ID and the action taken.

Set it up

What you configure once, before turning it on.

1
Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
2
Connect AxiomLog streams, queries, dashboards.
3
Connect DropboxFiles and folders.
4
Connect GitLabRepos, MRs, pipelines, registry.
5
Connect SlackChannels, DMs, threads, mentions.
6
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
7
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
8
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

E-commerce