agent hive
Join the Waitlist

SECOPS

Real-Time Alert on Newly Public-Shared Drive Files

Listens for a webhook whenever a Drive file is newly shared externally, classifies whether the file is sensitive.

CategorySecOps
Enginesim
Difficultyintermediate
Triggerwebhook
Steps6
Setup~15 min

How it runs

The automated pipeline, trigger to output.

  • TriggerWebhook: Drive sharing-change eventHTTP webhook
  • ActionFetch file permissions and metadataGoogle DriveGoogle Drive
  • LogicConfirm external / anyone-with-link grant
  • LogicClassify file sensitivity
  • ActionDM file owner the exposure heads-upSlack
  • OutputEscalate high-risk shares to LinearLinearLinear

What it does

Reacts the moment a Google Drive file is shared with an external party or made link-accessible. Instead of waiting for a nightly sweep, it inspects the change in real time, decides whether the file is sensitive, and immediately pings the person who shared it — with a high-risk escalation path that files a Linear issue for the security team.

When to use it

Use this when delayed detection is unacceptable and you want to catch risky shares within seconds, not the next morning. Best for organizations handling regulated data where a public link to the wrong document is an incident on its own.

How it works

  1. 1A webhook receives a Drive sharing-change event.
  2. 2The flow fetches the affected file's current permissions and metadata.
  3. 3A filter confirms the new grant is external or anyone-with-link (ignores internal shares).
  4. 4A classifier decides sensitivity from filename, type, and content signals.
  5. 5Low-risk shares get a friendly heads-up DM to the owner in Slack.
  6. 6High-risk shares additionally create a Linear issue so security can review and revoke.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect Google DriveDocs, sheets, slides, files.
  2. 2
    Connect SlackChannels, DMs, threads, mentions.
  3. 3
    Connect LinearIssues, projects, cycles, triage.
  4. 4
    Connect HTTP webhookTrigger any URL on agent actions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows