SECOPS
Page on access bursts against a single Dropbox share link
Detects a sudden spike in Cloudflare requests against one public Dropbox link within a short window, expires the link.
How it runs
The automated pipeline, trigger to output.
- TriggerWindowed Axiom query over recent Cloudflare logs runsAxiom
- ActionCompute per-link request counts vs rolling baselineCloudflare
- LogicFlag links exceeding the spike threshold
- ActionSet flagged Dropbox link to expire immediatelyDropbox
- ActionPage on-call via PagerDuty with rate and baselinePagerDuty
- OutputFile GitLab issue for post-incident reviewGitLab
What it does
Watches request volume per Dropbox share link in Cloudflare logs. When a single link's hit rate spikes far above its baseline inside a short window — the signature of a scraper or a link forwarded to a wide audience — it expires the link and escalates to on-call.
When to use it
Use this for links that should see low, steady traffic from a known recipient. A burst means the URL has been shared beyond its intended audience or is being harvested. Pairs well with the inventory sync and geo-anomaly workflows for layered defense.
How it works
- 1A windowed Axiom query runs on a short cadence over recent Cloudflare logs.
- 2It computes per-link request counts and compares each to its rolling baseline.
- 3A logic step flags any link exceeding the spike threshold.
- 4Dropbox sets the flagged link to expire immediately, cutting off access.
- 5PagerDuty pages the on-call engineer with the link ID, rate, and baseline.
- 6A GitLab issue is filed to track the post-incident review.
Set it up
What you configure once, before turning it on.
- 1Connect AxiomLog streams, queries, dashboards.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect DropboxFiles and folders.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Connect GitLabRepos, MRs, pipelines, registry.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.