Automatically Create OpsGenie Alerts from Cloudflare WAF Security Events
This recipe polls Cloudflare WAF firewall events and instantly creates priority alerts in OpsGenie so your security team is notified the moment a threat is detected. No more manually checking Cloudflare dashboards — incidents flow straight into your on-call workflow.
- 1
Schedule a polling trigger every 5 minutes
Add a
Schedule Triggernode. SetRuletoEvery 5 Minutes. This node kicks off the workflow regularly to check for new WAF events. No credentials needed here. - 2
Fetch recent Cloudflare WAF firewall events
Add an
HTTP Requestnode namedGet Cloudflare WAF Events. SetMethodtoGETandURLtohttps://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/firewall/events. InHeaders, addX-Auth-Emailwith your Cloudflare account email andX-Auth-Keywith your Cloudflare Global API Key (store these as n8n credentials or environment variables). Add a query parameterper_pageset to20to limit results. ReplaceYOUR_ZONE_IDwith the Zone ID found in your Cloudflare dashboard under the domain overview. - 3
Filter for block and challenge actions only
Add an
IFnode namedIs Block or Challenge. SetConditiontoStringwhereValue 1is{{ $json.action }}andOperationisContainsandValue 2isblock. This ensures only actionable WAF events proceed to create alerts. Events with actionalloware discarded on the false branch. - 4
Map event fields into a clean alert payload
Add a
Setnode namedBuild Alert Payload. Add the following fields:alertMessageas a string expressionWAF {{ $json.action }} from {{ $json.client_ip }} matched rule {{ $json.rule_id }};priorityas stringP2;sourceIPmapped from{{ $json.client_ip }};ruleIdmapped from{{ $json.rule_id }};occurredAtmapped from{{ $json.occurred_at }}. This shapes the data before sending to OpsGenie. - 5
Create an alert in OpsGenie
Add an
HTTP Requestnode namedCreate OpsGenie Alert. SetMethodtoPOSTandURLtohttps://api.opsgenie.com/v2/alerts. InHeaders, addAuthorizationasGenieKey YOUR_OPSGENIE_API_KEYandContent-Typeasapplication/json. InBody, selectJSONand paste:{ "message": "{{ $json.alertMessage }}", "alias": "cloudflare-waf-{{ $json.ruleId }}", "priority": "{{ $json.priority }}", "details": { "sourceIP": "{{ $json.sourceIP }}", "ruleId": "{{ $json.ruleId }}", "occurredAt": "{{ $json.occurredAt }}" } }. ReplaceYOUR_OPSGENIE_API_KEYwith the API key from your OpsGenie team integration settings.
Frequently asked questions
How do I find my Cloudflare Zone ID?
Log in to the Cloudflare dashboard, select your domain, and scroll down on the Overview page. The Zone ID is displayed in the right-hand sidebar under API. Copy and paste it into the HTTP Request URL replacing YOUR_ZONE_ID.
How do I get an OpsGenie API key?
In OpsGenie, go to Settings > Integrations > Add Integration, search for API, and create a new API integration. Copy the generated API key and use it in the Authorization header as GenieKey followed by a space and then the key.
Will this create duplicate alerts if the same event appears in multiple polls?
The alias field in the OpsGenie alert payload is set to a unique combination of the WAF rule ID. OpsGenie deduplicates alerts with the same alias, so the same event will update an existing open alert rather than creating a new one.