Cloudflare audit log Slack alerts (every 15 minutes)

Every 15 minutes, watch our Cloudflare account audit log for risky changes and post severity-tagged alerts to a Slack channel for security.

Trigger: cron, every 15 minutes.

Each run, call Cloudflare's List Audit Logs operation with a since-timestamp filter that pulls every entry created since the previous run finished (store and reuse that timestamp between runs; on the first run, look back 15 minutes). Page through results until the audit log is fully drained for the window.

Then reason over the entries and classify each one as high-risk or low-risk. Treat the following as high-risk by default:

- DNS record deletions, and any create/update/delete that touches an apex (root) record - Firewall and ruleset changes: Create/Update/Delete IP Access Rule, Create/Update Ruleset, Update Bot Management Settings, Lockdown rule changes - DNSSEC enable/disable or key changes - Zone deletion or transfer - API token creation - Account member added, role changed, or 2FA disabled

Treat low-noise items like DNS proxy toggles, analytics views, login events, and read-only API calls as low-risk.

For each high-risk entry, draft a short, human-readable summary that includes: the actor (email or token name), the action, the resource (zone, record, ruleset, token name), before/after values when the audit entry carries them, the timestamp, and a deep link back to the Cloudflare dashboard for that resource. Tag each one with a severity emoji: 🚨 for destructive or auth-changing actions (deletions, DNSSEC off, new API token, member added), ⚠️ for edits to firewall/WAF/bot management.

Post the alerts to the #cloudflare-audit Slack channel using Slack's Send a Message operation. Use Slack mrkdwn formatting (single asterisks for bold, <url|text> for links). Send one Slack message per run that contains all the high-risk entries as a list. If there were also low-risk entries in the same window, append a single trailing line at the bottom: 'and N other low-risk changes' so the channel stays signal-heavy. If there were zero high-risk entries and zero low-risk entries, do not post anything.

This addresses the recurring community ask for Slack notifications on Cloudflare audit log activity, which Cloudflare does not ship natively. The agent's judgement on what counts as high-risk vs noise is the key piece, so keep that classification step explicit and easy to tweak.

Additional information

What does this prompt do?

Checks your Cloudflare audit log every 15 minutes for everything that happened since the last run.
Flags high-risk changes such as DNS record deletions, firewall and WAF rule edits, DNSSEC updates, zone deletions, and new API tokens.
Posts a short, severity-tagged summary to your security Slack channel with the actor, the action, the resource, and a link back to the Cloudflare dashboard.
Rolls routine, low-risk activity into a single trailing line so the channel stays focused on what matters.

What do I need to use this?

A Cloudflare account with permission to read audit logs.
A Slack workspace and a channel (for example #cloudflare-audit) where the alerts should land.

How can I customize it?

Change how often it runs. Every 5 minutes for tighter monitoring, hourly for less noise, or only during business hours.
Adjust the high-risk list. Add things like Workers script changes, or downgrade items you do not care about.
Send the alerts somewhere else. A different Slack channel, a private DM to your on-call, or both.

Frequently asked questions

Does Cloudflare not already send Slack notifications for audit log activity?

No. This is one of the longest-running asks in the Cloudflare community and there is no native Slack delivery for audit logs. This workflow fills that gap.

What counts as a risky change?

Out of the box: DNS record deletions and apex changes, firewall and WAF rule edits, DNSSEC updates, zone deletions, and new API token creation. You can edit the list any time by changing the prompt.

Will the Slack channel get spammed with routine noise?

No. Routine items like DNS proxy toggles and analytics views are grouped into a single trailing line such as 'and 12 other low-risk changes' so the channel stays signal-heavy.

Can I send the alerts somewhere other than Slack?

Yes. Swap the Slack step for any other tool you have connected, like email, Microsoft Teams, or a ticketing system.

Does this need a paid Cloudflare plan?

Audit logs are available for account-level activity on standard Cloudflare plans. Make sure the API token you connect has permission to read them.