Dev Ops · n8n

Automatically Create OpsGenie Alerts from Cloudflare WAF Security Events

This recipe polls Cloudflare WAF firewall events and instantly creates priority alerts in OpsGenie so your security team is notified the moment a threat is detected. No more manually checking Cloudflare dashboards — incidents flow straight into your on-call workflow.

difficulty Intermediatesetup 45 minresult Every Cloudflare WAF block or challenge event triggers a structured OpsGenie alert with event details, source IP, and rule ID so your team can respond immediately.
  1. 1

    Schedule a polling trigger every 5 minutes

    Add a Schedule Trigger node. Set Rule to Every 5 Minutes. This node kicks off the workflow regularly to check for new WAF events. No credentials needed here.

  2. 2

    Fetch recent Cloudflare WAF firewall events

    Add an HTTP Request node named Get Cloudflare WAF Events. Set Method to GET and URL to https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/firewall/events. In Headers, add X-Auth-Email with your Cloudflare account email and X-Auth-Key with your Cloudflare Global API Key (store these as n8n credentials or environment variables). Add a query parameter per_page set to 20 to limit results. Replace YOUR_ZONE_ID with the Zone ID found in your Cloudflare dashboard under the domain overview.

  3. 3

    Filter for block and challenge actions only

    Add an IF node named Is Block or Challenge. Set Condition to String where Value 1 is {{ $json.action }} and Operation is Contains and Value 2 is block. This ensures only actionable WAF events proceed to create alerts. Events with action allow are discarded on the false branch.

  4. 4

    Map event fields into a clean alert payload

    Add a Set node named Build Alert Payload. Add the following fields: alertMessage as a string expression WAF {{ $json.action }} from {{ $json.client_ip }} matched rule {{ $json.rule_id }}; priority as string P2; sourceIP mapped from {{ $json.client_ip }}; ruleId mapped from {{ $json.rule_id }}; occurredAt mapped from {{ $json.occurred_at }}. This shapes the data before sending to OpsGenie.

  5. 5

    Create an alert in OpsGenie

    Add an HTTP Request node named Create OpsGenie Alert. Set Method to POST and URL to https://api.opsgenie.com/v2/alerts. In Headers, add Authorization as GenieKey YOUR_OPSGENIE_API_KEY and Content-Type as application/json. In Body, select JSON and paste: { "message": "{{ $json.alertMessage }}", "alias": "cloudflare-waf-{{ $json.ruleId }}", "priority": "{{ $json.priority }}", "details": { "sourceIP": "{{ $json.sourceIP }}", "ruleId": "{{ $json.ruleId }}", "occurredAt": "{{ $json.occurredAt }}" } }. Replace YOUR_OPSGENIE_API_KEY with the API key from your OpsGenie team integration settings.

Frequently asked questions

How do I find my Cloudflare Zone ID?

Log in to the Cloudflare dashboard, select your domain, and scroll down on the Overview page. The Zone ID is displayed in the right-hand sidebar under API. Copy and paste it into the HTTP Request URL replacing YOUR_ZONE_ID.

How do I get an OpsGenie API key?

In OpsGenie, go to Settings > Integrations > Add Integration, search for API, and create a new API integration. Copy the generated API key and use it in the Authorization header as GenieKey followed by a space and then the key.

Will this create duplicate alerts if the same event appears in multiple polls?

The alias field in the OpsGenie alert payload is set to a unique combination of the WAF rule ID. OpsGenie deduplicates alerts with the same alias, so the same event will update an existing open alert rather than creating a new one.

About this recipe. Recipes on FlowRecipesHub are written for business owners, not developers, and are tested before publishing — how recipes get made. Some ingredient links are affiliate links that cost you nothing — full disclosure.