SECOPS
Real-Time IdP Grant Enrichment and Risk Triage
On every privileged role assignment from your identity provider, it enriches the event with HR and threat context, classifies risk with an LLM, and routes the grant to Slack.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook receives IdP role-assignment eventHTTP webhook
- ActionEnrich grantee with HR context over HTTPHTTP webhook
- ActionClassify grant risk with LLMOpenAI
- LogicRoute by verdict: log, review, or escalate
- OutputPost triage to Slack and emit Datadog eventDatadog
What it does
It catches privileged role assignments at the moment your identity provider emits them, adds context the raw event lacks — employment status, department fit, recent risky sign-ins — and routes each grant to the right destination so only meaningful elevations reach a human.
When to use it
Use this when your IdP can webhook role-assignment events and you want enrichment-driven triage in real time instead of after-the-fact log review. Good for reducing alert fatigue while keeping a full record.
How it works
- 1A webhook receives the IdP privileged role-assignment event.
- 2An HR-system lookup over HTTP enriches the grantee with status, role, and manager.
- 3An OpenAI model classifies the grant as expected, review-needed, or suspicious using enrichment plus recent sign-in risk.
- 4A logic branch routes: expected grants log to Datadog, review-needed go to Slack with context, suspicious trigger both Slack and a Datadog security event.
- 5The final delivery posts the triaged outcome to the appropriate channel and emits the Datadog audit metric.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect DatadogMetrics, traces, log search.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.