Weekly Cloudflare WAF Security Digest in Slack

Every Monday at 8am Eastern, build me a weekly Cloudflare attack and traffic security digest for my engineering and security team. Use a cron trigger on that weekly schedule.

Step 1: Use the Cloudflare Query GraphQL Analytics operation to pull last seven days of zone metrics across all my Cloudflare zones. I want total requests, cached vs uncached share, requests blocked or challenged by WAF custom rules and managed rules, top source countries and ASNs for blocked traffic, and top targeted hostnames and URI paths. Then pull the same numbers for the prior seven days so we can compute week over week deltas.

Step 2: Have the agent write a concise executive summary in plain English. Cover how much traffic we saw, what share was blocked, the biggest movers versus the previous week, the top three attack categories or rule IDs that fired, and the top three offending source ASNs or countries.

Step 3: Post the summary to a configured Slack channel using Slack Send a Message. Format it with section headings and inline week over week percentage deltas so it reads cleanly in the channel.

Step 4: Check anomaly thresholds. If any of these conditions hit, also file a Linear issue using Linear Create Issue in a configurable team, priority High, with a title naming the anomaly and a description that includes the relevant numbers plus a link back to the Slack post so the on call security engineer can pick it up:

1) Total blocked requests jumped more than 50 percent week over week. 2) A single source ASN accounts for more than 25 percent of blocked traffic. 3) A brand new attack category appears that did not fire at all the prior week.

The goal is to give the team a regular signal of what Cloudflare is actually catching at the edge without anyone having to log into the dashboard, and to auto-escalate when something looks unusual.

Example output

*Cloudflare weekly security digest — Jun 9 to Jun 15* *Traffic* • 412.6M total requests across 14 zones (up 6% week over week) • 71% served from cache (flat week over week) *WAF activity* • 3.9M requests blocked or challenged (up 58% week over week) • Top rule categories: SQLi (1.4M, up 112%), Bot Management (980K, up 22%), Anomaly Score (610K, up 14%) • Top targeted host: api.example.com (1.7M blocks, 44% of total) *Top offenders* • AS14618 Amazon (US): 1.2M blocks, 31% of total — new this week • Country VN: 540K blocks (up 87% week over week) • Country RU: 410K blocks (down 6% week over week) *Flagged for on call* • Blocked requests jumped 58% week over week (threshold: 50%) • AS14618 alone accounts for 31% of blocks (threshold: 25%) • Linear ticket SEC-412 filed, priority High

Additional information

What does this prompt do?

Pulls last week's request, cache, and WAF block numbers across all your Cloudflare zones, then compares them to the prior week so you see week over week movement.
Writes a short executive summary covering total traffic, the blocked share, the biggest movers, the top attack categories that fired, and the worst offending countries or networks.
Posts the digest to a Slack channel with section headings and clean percentage deltas, so the team can read it in the channel without opening the Cloudflare dashboard.
If a single signal looks unusual (a sharp jump in blocks, one network dominating blocked traffic, or a brand new attack category appearing), files a high priority Linear ticket for on call to triage.

What do I need to use this?

A Cloudflare account with access to the zones you want covered in the digest.
A Slack workspace and the channel where the weekly digest should land.
A Linear workspace and the team where escalation tickets should be filed when anomalies hit.

How can I customize it?

Change the cadence. The default runs every Monday at 8am Eastern, but any weekly schedule works.
Pick the Slack channel that receives the digest and the Linear team that receives the escalation tickets.
Tune the attention thresholds. Defaults are a 50 percent week over week jump in blocked traffic, any single network responsible for over 25 percent of blocks, or a brand new attack category.

Frequently asked questions

Will this work across multiple Cloudflare zones?

Yes. The digest rolls up traffic and block numbers across every zone your Cloudflare login has access to, and you can scope it to a subset if you only want certain properties covered.

Do I need a paid Cloudflare plan?

The underlying analytics are available on Cloudflare's Pro plan and above, with more granular data on Business and Enterprise. Free plans get a much shorter analytics window, so the week over week comparison may not be reliable there.

Does this replace Cloudflare's built in weekly email?

It's meant to complement it. Cloudflare's native weekly summary is per zone and lands in personal inboxes. This one rolls up all your zones, lands in a shared Slack channel, and escalates to Linear when something looks unusual instead of just emailing you.

What counts as an escalation worthy anomaly?

Out of the box, a Linear ticket is filed if blocked requests jump more than 50 percent week over week, a single source network accounts for more than 25 percent of blocked traffic, or a brand new attack category appears that did not fire at all the prior week. You can adjust those thresholds.

Can I send the digest somewhere other than Slack?

Yes. The default is Slack because that's where most security teams already triage, but the same summary can be routed to email, Microsoft Teams, or any other channel the platform supports.