SECOPS
Cloudflare Egress Anomaly to SOC Investigation Dossier
Watches Cloudflare Logpush for outbound traffic spikes, enriches the destination, scores severity, and opens a structured SOC investigation page in Notion with a starter IOC…
How it runs
The automated pipeline, trigger to output.
- TriggerCloudflare Logpush flags egress spikeCloudflare
- LogicCompare bytes-out vs rolling baseline
- ActionEnrich destination IP/ASN reputationOpenAI
- LogicScore severity (volume x reputation x asset)
- ActionCreate Notion investigation dossier + IOC ledgerNotion
- OutputPost dossier link to SOC channelSlack
What it does
Turns a raw Cloudflare egress alert into a ready-to-work SOC investigation. When outbound bytes from a source IP or worker exceed the rolling baseline, it enriches the destination, assigns a severity score, and spins up a Notion investigation dossier pre-filled with the triggering event and an empty IOC ledger.
When to use it
Use it when your team triages data-exfiltration signals by hand and wants every Cloudflare egress spike to land as a consistent, deduplicated case instead of a noisy log line. Best for SOCs that run investigations in Notion.
How it works
- 1Cloudflare Logpush delivers an egress event flagging unusual outbound volume.
- 2A logic step compares bytes-out against the source's rolling baseline and drops anything within normal range.
- 3An enrichment action resolves the destination IP/ASN reputation and geo via threat-intel lookup.
- 4A scoring logic step combines volume delta, destination reputation, and asset criticality into a severity tier.
- 5A Notion action creates an investigation dossier seeded with the event, enrichment, score, and an empty IOC ledger table.
- 6The dossier link is posted to the SOC channel as the final handoff.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect NotionPages, databases, comments.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.