Automated Runbooks
Automated Runbooks
Chain mitigation steps into automated incident response playbooks. Trigger a sequence of actions when specific conditions are met, from enabling Cloudflare UAM to notifying PagerDuty to enabling upstream scrubbing.
How It Works
Define the playbook once. Let it execute every time.
A runbook is an ordered sequence of actions that executes automatically when an incident matches its trigger conditions. You define the steps, the order, and the wait times between them. When an attack hits, the runbook runs from top to bottom without human intervention.
Each step has its own action type: queue a firewall command, send an alert to a notification channel, POST to a webhook, toggle Cloudflare Under Attack Mode, enable upstream scrubbing, or simply wait before the next step. Steps execute sequentially, and every execution is logged with timestamps and results.
If a step fails, the runbook logs the failure and continues to the next step. The full execution history is available in your audit log, including per-step duration, status, and any error messages.
| Trigger types | Severity, attack family, PPS threshold, node selection |
| Action types | iptables, notify, webhook, Cloudflare UAM, scrubbing, wait, log |
| Max steps | Up to 20 steps per runbook |
| Wait steps | Configurable delay (1s to 30 minutes) |
| Failure handling | Log failure, continue to next step |
| Audit trail | Per-step execution log with timestamps and results |
Trigger: severity >= critical AND family = UDP flood
09:44:19 ⚠ Incident #a3f7c2b1 matched
Step 1 Enable Cloudflare UAM
→ ✓ UAM enabled (0.4s)
Step 2 Wait 30s
→ pausing...
Step 3 Notify PagerDuty
→ ✓ PD incident created (0.6s)
Step 4 Wait 2m
→ pausing...
Step 5 Enable OVH Scrubbing
→ ✓ Scrubbing activated (1.2s)
Step 6 Webhook to NOC
→ ✓ POST 200 OK (0.3s)
Runbook complete · 6/6 steps passed
_
Trigger Conditions
Fine-grained control over when a runbook fires
Each runbook has one or more trigger conditions that must all match before execution begins. Combine them to target exactly the scenarios you want automated.
Severity threshold
Fire only when the incident severity reaches a specific level. Choose from critical, high, or medium. A runbook set to "high" will also fire on critical incidents.
Attack family match
Restrict the runbook to specific attack classifications: UDP flood, SYN flood, HTTP flood, DNS amplification, NTP amplification, ICMP flood, or any combination.
Minimum PPS threshold
Set a packets-per-second floor. The runbook only fires if the incident's peak PPS exceeds this value, preventing execution on small, low-impact incidents.
Node selection
Scope the runbook to specific nodes or apply it workspace-wide. A game server runbook can target only your game nodes while your web tier has its own playbook.
7 Action Types
Every step in your incident playbook, automated
Queue firewall commands
Push iptables drop, rate-limit, or block rules to the node. Uses the same firewall rule engine with auto-undo on resolution.
Send alert to specific channel
Send a targeted notification to any configured channel: Discord, Slack, PagerDuty, OpsGenie, email, SMS, or webhook.
POST to external URL
Send a JSON payload to any external endpoint. Include incident data, runbook context, and step metadata. Ideal for NOC integrations.
Toggle Under Attack Mode
Enable Cloudflare Under Attack Mode on one or more zones. Auto-disables when the incident resolves or a later step clears it.
Auto-divert to scrubbing provider
Activate upstream scrubbing via your configured provider (OVH, Path.net, Voxility). Traffic is diverted through the scrubbing center automatically.
Pause between steps
Insert a configurable delay (1 second to 30 minutes) between steps. Gives previous actions time to take effect before escalating.
Write to audit log
Insert a custom message into the audit log at any point in the runbook. Useful for compliance, debugging, and post-incident review.
Single Rules vs. Runbooks
One action is not a response plan
Single mitigation rules
- Single rules can only do one action per trigger
- No delay or sequencing capability
- No escalation path if the first action is not enough
- No way to coordinate across firewall, alerts, and scrubbing
- Manual intervention needed for multi-step response
Automated Runbooks
- Runbooks chain multiple actions in order
- Built-in wait steps for measured escalation
- Full execution audit trail with per-step results
- Coordinate firewall, notifications, scrubbing, and webhooks in one playbook
- Entire response runs without human intervention
Use Cases
Real-world runbooks for real-world attacks
Game server protection
Game servers need immediate mitigation with minimal false positives. This runbook applies firewall rules first, waits to see if the attack subsides, then escalates to scrubbing only if the attack persists.
2. Wait 30s
3. Notify Discord
4. Wait 2m
5. If still active: enable scrubbing
6. Log to audit
Enterprise multi-tier escalation
Large organizations need tiered escalation with time for each level to respond. Start with automated mitigation, escalate to the NOC, then page leadership if the attack continues.
2. Notify Slack #security
3. Wait 5m
4. Page PagerDuty on-call
5. Wait 10m
6. Webhook to NOC dashboard
ISP automated response
ISPs managing hundreds of customer nodes need automated scrubbing activation and customer notification. The runbook handles the entire workflow without operator involvement.
2. Webhook to billing system
3. Enable upstream scrubbing
4. Notify customer via email channel
5. Wait 15m
6. Page NOC if still active
Related Features