SECOPS
Weekly Dropbox link exposure digest from Cloudflare logs
Once a week, summarizes which public Dropbox links saw access from new geos or anonymized sources, quantifies the riskiest links.
How it runs
The automated pipeline, trigger to output.
- TriggerWeekly digest schedule fires
- ActionAggregate week of Cloudflare logs joined to Dropbox inventory in AxiomAxiom
- LogicScore each link on new geos, anonymized sources, and volume
- ActionOpen GitLab issue for any link above review thresholdGitLab
- OutputPost ranked exposure digest to SlackSlack
What it does
Produces a weekly rollup of how your public Dropbox links were accessed. It aggregates a week of Cloudflare logs from Axiom, ranks links by exposure risk — new geographies, anonymized sources, access volume — and surfaces the ones that warrant a closer look before they become incidents.
When to use it
Use this as a recurring hygiene review rather than a real-time tripwire. It gives owners a regular, low-noise view of which shared links are drifting toward risky access patterns so they can clean up stale or over-shared links proactively.
How it works
- 1A weekly schedule fires the digest run.
- 2Axiom aggregates the week's Cloudflare access logs joined to the Dropbox link inventory.
- 3A logic step scores each link on new geos, anonymized sources, and volume.
- 4For any link above the review threshold, a GitLab issue is opened for triage.
- 5A ranked digest of the top exposed links is posted to Slack for the team.
Set it up
What you configure once, before turning it on.
- 1Connect AxiomLog streams, queries, dashboards.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect DropboxFiles and folders.
- 4Connect GitLabRepos, MRs, pipelines, registry.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.