The "IP Penalty Box with Timeout via Slack (Cloudflare)" workflow template is designed to enhance network security measures by allowing teams to quickly respond to threats. When a security alert indicates a problematic IP, a user can execute a Slack command to temporarily block an IPv4 or IPv6 address directly in Cloudflare. The automated process verifies the address type, adds it to Cloudflare's IP Access Rules to enforce the block, and then automatically lifts the block after a predefined delay—streamlining the response to web security alerts without ongoing manual oversight.

Trigger

Slack

Optional Triggers

Webhook,"Microsoft Teams",Webex

Use Cases

Remediate Network Security Alerts , Remediate Web Security Alerts

Workflow Breakdown

Send the command Cloudflare_Penalty via slack with the IPv4 or IPv6 address to block
Verify which type of address to handle
Add the address to the IP Access Rules in Cloudflare
If no address is provided, provide a message back to the user
If the block was successful, wait for the delay and remove the block when it expires

Vendors

Slack, Utils, Cloudflare

Tips

Set the command for Slack in the \"Will trigger when\" section of the trigger.","Adjust the desired delay in the Set Workflow Variables step

Slack Mention to Analyze Suspicious URLs and IPs with VirusTotal - Workflow Template

Add Phishing Domain to CloudFlare ZeroTrust (IntSights) - Workflow Template

Add/Del (IPs/Ranges/Subnets) from Okta BlockedIpZone (Okta) - Workflow Template

Remediate Alerts from Rules to External Address Adaptive Shield - Workflow Template

Check if IPv4 Address is Part of an AWS IP Network Block - Workflow Template