How to Automate CVE and Vulnerability Advisory Response with Tines

Run by the team at workflow orchestration and AI platform Tines, the Tines library features pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.

A recent standout is a workflow that automates monitoring for security advisories from CISA and other vendors, enriches advisories with CrowdStrike threat intelligence, and streamlines ticket creation and notification. Developed by Josh McLaughlin, a security engineer at LivePerson, the workflow drastically reduces manual work while keeping analysts in control of final decisions, helping teams stay on top of new vulnerabilities.

“Before automation, creating tickets for 45 vulnerabilities took about 150 minutes of work,” Josh explains. “After automation, the time needed for the same number of tickets dropped to around 60 minutes, saving significant time and freeing analysts from manual tasks like copy-pasting and web browsing.” LivePerson’s security team reduced the time this process takes by 60% through automation and orchestration, creating a major boost to both efficiency and analyst morale.

In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.

The problem – manual tracking of critical advisories

For security teams, timely awareness of newly disclosed vulnerabilities is essential – but monitoring multiple sources, enriching advisories with threat intelligence, and creating tickets for remediation are time-consuming and error-prone tasks.

Teams often have to:

• Manually check CISA and other sources for advisories
• Research related CVEs
• Decide whether action is needed
• Manually create tickets and notify stakeholders

These repetitive steps not only consume valuable analyst time but also risk inconsistent responses if an important vulnerability is missed or delayed.

The solution – automated monitoring, enrichment, and ticketing

Josh’s pre-built workflow automates the process end-to-end – but crucially, it keeps analysts in control at key decision points:

• It pulls new advisories from CISA (or a chosen open-source feed)
• It enriches findings using CrowdStrike’s threat intelligence
• It notifies the security team in Slack, and prompts them to provide input quickly via approve and deny buttons
• Upon approval, it automatically creates a ServiceNow ticket with the vulnerability’s details

The result is a streamlined, efficient process that ensures vulnerabilities are tracked and actioned quickly, without sacrificing the critical thinking and prioritization that only analysts can provide.

Key benefits of this workflow:

• Reduces manual effort and speeds up response time
• Leverages threat intelligence for smarter prioritization
• Ensures consistent handling of new vulnerabilities
• Strengthens collaboration across security and IT teams
• Boosts morale by eliminating tedious tasks
• Keeps analysts in control with easy, fast approvals

Workflow overview

Tools used:

• Tines – workflow orchestration and AI platform (Community Edition available)
• CrowdStrike – threat intelligence and EDR platform
• ServiceNow – ticketing and ITSM platform
• Slack – team collaboration platform

How it works:

• RSS feed collection: fetches the latest advisories from CISA’s RSS feed
• Deduplication: filters out duplicate advisories
• Vendor filtering: focuses on advisories from key vendors and services (e.g., Microsoft, Citrix, Google, Atlassian).
• CVE extraction: identifies CVEs from advisory descriptions
• Enrichment: cross-references CVEs with CrowdStrike threat intelligence for added context
• Slack notification: sends an enriched vulnerability with action buttons to a dedicated Slack channel
• Approval flow:
• If approved, the workflow creates a ServiceNow ticket
• If denied, the workflow logs the decision without creating a ticket

Configuring the workflow – step-by-step guide

The Tines Community Edition sign-up form

1. Log into Tines or create a new account.

2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.

The workflow on Tines’ drag-and-drop canvas
Adding a new credential in Tines
3. Set up your credentials

You’ll need three credentials added to your Tines tenant:

• CrowdStrike
• ServiceNow
• Slack

Note that similar services to the ones listed above can also be used, with some adjustments to the workflow.

From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the CrowdStrike, ServiceNow, and Slack credential guides at explained.tines.com if you need help.

4. Configure your actions.

• Set the Slack channel for advisory notifications (slack_channel_vuln_advisory resource).
• Set your ServiceNow ticket details in the Create ticket in ServiceNow action (e.g., priority, assignment group).
• Adjust vendor filtering rules if needed to match your organization’s priorities.

5. Test the workflow.

Trigger a test by pulling recent advisories from CISA, and verify that:

• Slack notifications are sent with correct formatting
• Approval buttons function as expected
• ServiceNow tickets are created correctly upon approval

6. Publish and operationalize

Once tested, publish the workflow. Share the Slack channel with your team to start reviewing and approving advisories efficiently.

If you’d like to test this workflow, you can sign up for a free Tines account.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com