Technology

How to automate CVE and vulnerability advisory responses with Tines

6 Min Read
6 Min Read
How to automate CVE and vulnerability advisory responses with Tines

Run by teams on workflow orchestration and AI platform Tines, the Tines library features pre-built workflows shared by security practitioners across the community.

The latest standout is workflows that automate security advisory monitoring from CISA and other vendors, enrich recommendations with cloud strike threat intelligence, and streamline ticket creation and notifications. Developed by Josh Mclaughlin, a security engineer at LivePerson, this workflow significantly reduces manual work and allows teams to grasp new vulnerabilities while keeping analysts in control of final decisions.

“Before automation, it took about 150 minutes to create tickets for the 45 vulnerabilities,” explains Josh. “After automation, the time required for the same number of tickets was reduced to about 60 minutes, saving a significant amount of time, freeing analysts from manual tasks like copy pasting and web browsing.” The LivePerson security team has reduced the time this process takes 60% through automation and orchestration, significantly increasing both efficiency and analyst morale.

In this guide, we share an overview of the workflow, as well as step-by-step instructions for getting it up and running.

Issue – Manual Tracking of Important Advisories

While timely awareness of newly disclosed vulnerabilities is essential for security teams, monitoring multiple sources, enriching advisory with threat intelligence and creating tickets for remediation is a time-consuming, error-prone task.

Teams often:

  • Check the CISA and other sources manually
  • Research-related CVE
  • Determines whether an action is required
  • Create a ticket manually and notify stakeholders
See also  WhatsApp adds advanced chat privacy to block chat exports and auto downloads

These repetitive steps not only consume valuable analyst time, but also put inconsistent reactions at risk if critical vulnerabilities are missed or delayed.

Solutions – Automatic monitoring, enrichment, tickets

Josh’s pre-built workflow automates the process end-to-end, but importantly, analysts continue to control it at key decision points.

  • Pull new advisories from CISA (or your selected open source feed)
  • Enrich your findings using Crowdstrike’s threat intelligence
  • Notify Slack’s security team and promptly provide input via the approval and reject buttons
  • Once approved, a ServiceNow ticket will be automatically created with details of the vulnerability

The result is a streamlined and efficient process that ensures vulnerabilities are quickly tracked, quickly tracked and executed without sacrificing critical thinking and prioritization that only analysts can offer.

Important benefits of this workflow:

  • Reduce manual effort and speed up response times
  • Use threat intelligence for smarter prioritization
  • Ensures consistent handling of new vulnerabilities
  • Strengthen security and collaboration across IT teams
  • Boost morale by eliminating boring tasks
  • Get easy and fast approval and keep your analyst in control

Workflow Overview

Tools used:

  • Tyne – Workflow Orchestration and AI Platform (Community Edition available)
  • Cloud Strike – Threat Intelligence and EDR Platform
  • ServiceNow – Tickets and ITSM Platform
  • Slack – Team Collaboration Platform

How it works:

  • RSS Feed Collection: Get the latest advisory from CISA’s RSS Feed
  • Deduplication: Filter out duplicate advisories
  • Vendor Filtering: Focuses on advisories for key vendors and services (such as Microsoft, Citrix, Google, Atlassian).
  • CVE Extraction: Identifies the CVE from the advisory description
  • Enriched: Cross-references are CVEs with cloud strike threat intelligence to add context
  • Slack Notifications: Use action buttons to send rich vulnerabilities to dedicated Slack channels
  • Approval flow:
  • If approved, the workflow creates a ServiceNow ticket
  • If rejected, the workflow records the decision without creating a ticket
See also  Why the published credentials remain unfixed and how to change them

Configuring Workflows – Step-by-Step Guide

Tines Community Edition Sign-up Form

1. Log in to Tyne Alternatively, create a new account.

2. Go to Pre-built workflows for the library. Select (Import). This requires direct take on new, pre-built workflows.

Tines’ Drag and Drop Canvas Workflow
Add new credentials to Tines

3. Set your credentials

Three credentials must be added to the Tines tenant.

  • Cloud Strike
  • ServiceNow
  • slack

Please note that you can also use similar services to those listed above. Adjust the workflow.

From the Credentials page, select your new credentials and scroll to the relevant credentials to complete the required fields. Follow the CrowdStrike, ServiceNow and Slack Credentials Guide at explained.com.

4. Configure the action.

  • Configure the Slack channel (slack_channel_vuln_advisory resource) for advisory notifications.
  • Set the ServiceNow ticket details to the Create ServiceNow action ticket (priority, assignment group).
  • Adjust vendor filtering rules if necessary to match your organization’s priorities.

5. Test your workflow.

Pull recent advisories from the CISA to trigger the test and verify:

  • Slack notifications will be sent in the correct format
  • The approval button works as expected
  • ServiceNow tickets are created correctly upon approval

6. Publish and operate

Once tested, publish your workflow. Share your Slack channel with your team to efficiently begin reviewing and approving advisory.

If you want to test this workflow, you can sign up for a free Tines account.

Share This Article
Leave a comment

Follow US

POPULAR