Run by the staff at workflow orchestration and AI platform Tines, the Tines library options pre-built workflows shared by safety practitioners from throughout the group – all free to import and deploy by way of the platform’s Group Version.
A current standout is a workflow that automates monitoring for safety advisories from CISA and different distributors, enriches advisories with CrowdStrike menace intelligence, and streamlines ticket creation and notification. Developed by Josh McLaughlin, a safety engineer at LivePerson, the workflow drastically reduces handbook work whereas holding analysts in charge of ultimate choices, serving to groups keep on prime of latest vulnerabilities.
“Earlier than automation, creating tickets for 45 vulnerabilities took about 150 minutes of labor,” Josh explains. “After automation, the time wanted for a similar variety of tickets dropped to round 60 minutes, saving important time and liberating analysts from handbook duties like copy-pasting and net looking.” LivePerson’s safety staff lowered the time this course of takes by 60% by way of automation and orchestration, creating a significant increase to each effectivity and analyst morale.
On this information, we’ll share an summary of the workflow, plus step-by-step directions for getting it up and working.
The issue – handbook monitoring of essential advisories
For safety groups, well timed consciousness of newly disclosed vulnerabilities is important – however monitoring a number of sources, enriching advisories with menace intelligence, and creating tickets for remediation are time-consuming and error-prone duties.
Groups usually must:
- Manually test CISA and different sources for advisories
- Analysis associated CVEs
- Resolve whether or not motion is required
- Manually create tickets and notify stakeholders
These repetitive steps not solely devour priceless analyst time but in addition danger inconsistent responses if an necessary vulnerability is missed or delayed.
The answer – automated monitoring, enrichment, and ticketing
Josh’s pre-built workflow automates the method end-to-end – however crucially, it retains analysts in management at key determination factors:
- It pulls new advisories from CISA (or a selected open-source feed)
- It enriches findings utilizing CrowdStrike’s menace intelligence
- It notifies the safety staff in Slack, and prompts them to offer enter rapidly by way of approve and deny buttons
- Upon approval, it routinely creates a ServiceNow ticket with the vulnerability’s particulars
The result’s a streamlined, environment friendly course of that ensures vulnerabilities are tracked and actioned rapidly, with out sacrificing the essential considering and prioritization that solely analysts can present.
Key advantages of this workflow:
- Reduces handbook effort and accelerates response time
- Leverages menace intelligence for smarter prioritization
- Ensures constant dealing with of latest vulnerabilities
- Strengthens collaboration throughout safety and IT groups
- Boosts morale by eliminating tedious duties
- Retains analysts in management with simple, quick approvals
Workflow overview
Instruments used:
- Tines – workflow orchestration and AI platform (Group Version out there)
- CrowdStrike – menace intelligence and EDR platform
- ServiceNow – ticketing and ITSM platform
- Slack – staff collaboration platform
The way it works:
- RSS feed assortment: fetches the most recent advisories from CISA’s RSS feed
- Deduplication: filters out duplicate advisories
- Vendor filtering: focuses on advisories from key distributors and companies (e.g., Microsoft, Citrix, Google, Atlassian).
- CVE extraction: identifies CVEs from advisory descriptions
- Enrichment: cross-references CVEs with CrowdStrike menace intelligence for added context
- Slack notification: sends an enriched vulnerability with motion buttons to a devoted Slack channel
- Approval move:
- If accredited, the workflow creates a ServiceNow ticket
- If denied, the workflow logs the choice with out making a ticket
Configuring the workflow – step-by-step information
 |
| The Tines Group Version sign-up kind |
1. Log into Tines or create a brand new account.
2. Navigate to the pre-built workflow within the library. Choose import. This could take you straight to your new pre-built workflow.
 |
| The workflow on Tines’ drag-and-drop canvas |
 |
| Including a brand new credential in Tines |
3. Arrange your credentials
You may want three credentials added to your Tines tenant:
- CrowdStrike
- ServiceNow
- Slack
Notice that comparable companies to those listed above will also be used, with some changes to the workflow.
From the credentials web page, choose New credential, scroll all the way down to the related credential and full the required fields. Comply with the CrowdStrike, ServiceNow, and Slack credential guides at defined.tines.com in case you need assistance.
4. Configure your actions.
- Set the Slack channel for advisory notifications (slack_channel_vuln_advisory useful resource).
- Set your ServiceNow ticket particulars within the Create ticket in ServiceNow motion (e.g., precedence, project group).
- Modify vendor filtering guidelines if wanted to match your group’s priorities.
5. Take a look at the workflow.
Set off a take a look at by pulling current advisories from CISA, and confirm that:
- Slack notifications are despatched with right formatting
- Approval buttons perform as anticipated
- ServiceNow tickets are created accurately upon approval
6. Publish and operationalize
As soon as examined, publish the workflow. Share the Slack channel together with your staff to start out reviewing and approving advisories effectively.
If you would like to check this workflow, you possibly can join a free Tines account.
