New Extension: Cloudflare Response 🛡️

We’ve just released ext-cloudflare, a new extension that connects LimaCharlie to your Cloudflare account so your D&R rules and AI agents can respond to threats at the edge — directly from a detection, no separate SOAR needed.

What you can do with it:

  • Block attackers at the edge — block an IP, IP range, ASN, or entire country the moment a detection fires, before traffic ever reaches your origin. You can also challenge instead of block, and every block has a matching undo.
  • Push WAF rules — add custom WAF rules on the fly as part of a response.
  • Respond in Zero Trust — revoke a compromised Access user’s sessions and devices, or push IOCs onto a Gateway block list.
  • Fix DNS & cache fast — re-point a hijacked DNS record to a sinkhole, delete a bad record, or purge cache.
  • Investigate — pull audit logs, search firewall/WAF events, list Access users and their activity, and more.

And if there’s a Cloudflare API endpoint we haven’t wrapped in a friendly action yet, the generic api_call action reaches the entire Cloudflare v4 API (including GraphQL Analytics), so you’re never blocked.

Safety was a priority: every action that targets something requires an explicit target — an account-wide response can never fire by accident.

Getting started:

  1. Create a scoped API Token in Cloudflare with just the permissions you need (the README lists the least-privileged set per action).
  2. Subscribe to ext-cloudflare in the LimaCharlie Marketplace.
  3. Store the token in Secrets Manager and point the extension at it — optionally set a default account/zone.

That’s it — your detections can now defend your edge. Feedback and feature requests welcome in this thread! :rocket: