SECOPS

Detect WAF block spikes and open a triaged PagerDuty incident

Watches Cloudflare firewall-event volume for sudden anomalies, and when a managed rule starts blocking far above its baseline it opens a PagerDuty incident pre-filled…

CategorySecOps

Enginesim

Difficultyintermediate

Triggerschedule

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerPolling schedule fires
ActionPull recent firewall-event counts by ruleCloudflare
LogicCompare to rolling baseline; flag significant spikes
ActionEnrich spike with top paths, IPs, and ASNsCloudflare
OutputOpen enriched PagerDuty incidentPagerDuty

What it does

Monitors per-rule Cloudflare WAF block volume against a rolling baseline and detects spikes that signal either an attack or a bad rule deployment. On a confirmed anomaly it creates a PagerDuty incident enriched with the triage facts an on-call needs to act in seconds.

When to use it

When you need an on-call signal the moment a WAF rule's block rate jumps — to catch both real attacks and self-inflicted false-positive storms after a ruleset change — without staring at the Cloudflare dashboard.

How it works

1A short-interval schedule polls Cloudflare for recent firewall-event counts grouped by rule ID.
2A logic step compares each rule's current rate to its trailing baseline and flags statistically significant spikes.
3Spikes below the alerting threshold are dropped to avoid noise.
4For a flagged spike it gathers the top blocked paths, client IPs, and ASNs.
5A PagerDuty incident is opened with the rule, spike magnitude, top offenders, and an attack-vs-misconfig hint for the responder.

Set it up

What you configure once, before turning it on.

1
Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
2
Connect PagerDutyIncidents, on-call, escalations.
3
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
4
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
5
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

PII Content Scan on New Dropbox External Share

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Compile a weekly WAF tuning review with trends to Confluence

Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.

Sensitive Dropbox Link Owner Remediation Loop

When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.

GitLab Push Secret Detection to Block and History Purge

On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →