Run by teams on workflow orchestration and AI platform Tines, the Tines library features pre-built workflows shared by security practitioners across the community.
The latest standout is workflows that automate security advisory monitoring from CISA and other vendors, enrich recommendations with cloud strike threat intelligence, and streamline ticket creation and notifications. Developed by Josh Mclaughlin, a security engineer at LivePerson, this workflow significantly reduces manual work and allows teams to grasp new vulnerabilities while keeping analysts in control of final decisions.
“Before automation, it took about 150 minutes to create tickets for the 45 vulnerabilities,” explains Josh. “After automation, the time required for the same number of tickets was reduced to about 60 minutes, saving a significant amount of time, freeing analysts from manual tasks like copy pasting and web browsing.” The LivePerson security team has reduced the time this process takes 60% through automation and orchestration, significantly increasing both efficiency and analyst morale.
In this guide, we share an overview of the workflow, as well as step-by-step instructions for getting it up and running.
Issue – Manual Tracking of Important Advisories
While timely awareness of newly disclosed vulnerabilities is essential for security teams, monitoring multiple sources, enriching advisory with threat intelligence and creating tickets for remediation is a time-consuming, error-prone task.
Teams often:
Manually review CISA and other sources CVEs related to Advisory Research determine whether action is required, create tickets manually, and notify stakeholders
These repetitive steps not only consume valuable analyst time, but also put inconsistent reactions at risk if critical vulnerabilities are missed or delayed.
Solutions – Automatic monitoring, enrichment, tickets
Josh’s pre-built workflow automates the process end-to-end, but importantly, analysts continue to control it at key decision points.
Pull new advisories from the CISA (or your selected open source feed). Use CrowdStrike’s threat intelligence to enhance your findings, notify Slack’s security teams, prompt them to approve and reject buttons on approval to provide prompt input, and automatically create ServiceNow tickets with details of the vulnerability.
The result is a streamlined and efficient process that ensures vulnerabilities are quickly tracked, quickly tracked and executed without sacrificing critical thinking and prioritization that only analysts can offer.
Important benefits of this workflow:
By leveraging threat intelligence for smart prioritization that reduces manual effort and speeds up response times, consistent handling of new vulnerabilities will enhance collaboration across security, IT teams boost morale by eliminating boring tasks, and analysts can control with simple and fast approval
Workflow Overview
Tools used:
Tines – Workflow Orchestration and AI Platform (Community Edition Available) Cloud Striker – Threat Intelligence and EDR Platform ServiceNow – Tickets and ITSM Platform Slack – Team Collaboration Platform
How it works:
RSS Feed Collection: Get the latest advisory from CISA’s RSS Feed Deduplication: Filters Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out Out CVE Extraction: Identifies the CVE from the advisory description. Context enrichment: Cloud strike threat intelligence and cross-reference slack notification for cross-reference cross-reference contexts: Send enrichment vulnerabilities with action buttons to a dedicated slack channel approval flow.
Configuring Workflows – Step-by-Step Guide
Tines Community Edition Sign-up Form
1. Log in to Tyne or create a new account.
2. Go to the library’s pre-built workflow.[インポート]Select . This requires direct take on new, pre-built workflows.
Tines’ Drag and Drop Canvas Workflow
Add new credentials to Tines
3. Set your credentials
Three credentials must be added to the Tines tenant.
Cloud StrikeServiceNow Slack
Please note that you can also use similar services to those listed above. Adjust the workflow.
From the Credentials page, select your new credentials and scroll to the relevant credentials to complete the required fields. Follow the CrowdStrike, ServiceNow and Slack Credentials Guide at explained.com.
4. Configure the action.
Configure the Slack channel (slack_channel_vuln_advisory resource) for advisory notifications. Set the ServiceNow ticket details to the Create ServiceNow action ticket (priority, assignment group). Adjust vendor filtering rules if necessary to match your organization’s priorities.
5. Test your workflow.
Pull recent advisories from the CISA to trigger the test and verify:
Slack notifications will be sent using the correct format approval button function.
6. Publish and operate
Once tested, publish your workflow. Share your Slack channel with your team to efficiently begin reviewing and approving advisory.
If you want to test this workflow, you can sign up for a free Tines account.
Source link
