Run by the team at workflow orchestration and AI platform Tines, the Tines library features pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.
A recent standout is a workflow that automates monitoring for security advisories from CISA and other vendors, enriches advisories with CrowdStrike threat intelligence, and streamlines ticket creation and notification. Developed by Josh McLaughlin, a security engineer at LivePerson, the workflow drastically reduces manual work while keeping analysts in control of final decisions, helping teams stay on top of new vulnerabilities.
“Before automation, creating tickets for 45 vulnerabilities took about 150 minutes of work,” Josh explains. “After automation, the time needed for the same number of tickets dropped to around 60 minutes, saving significant time and freeing analysts from manual tasks like copy-pasting and web browsing.” LivePerson’s security team reduced the time this process takes by 60% through automation and orchestration, creating a major boost to both efficiency and analyst morale.
In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.
The problem – manual tracking of critical advisories
For security teams, timely awareness of newly disclosed vulnerabilities is essential – but monitoring multiple sources, enriching advisories with threat intelligence, and creating tickets for remediation are time-consuming and error-prone tasks.
Teams often have to:
Manually check CISA and other sources for advisories
Research related CVEs
Decide whether action is needed
Manually create tickets and notify stakeholders
These repetitive steps not only consume valuable analyst time but also risk inconsistent responses if an important vulnerability is missed or delayed.
The solution – automated monitoring, enrichment, and ticketing
Josh’s pre-built workflow automates the process end-to-end – but crucially, it keeps analysts in control at key decision points:
It pulls new advisories from CISA (or a chosen open-source feed)
It enriches findings using CrowdStrike’s threat intelligence
It notifies the security team in Slack, and prompts them to provide input quickly via approve and deny buttons
Upon approval, it automatically creates a ServiceNow ticket with the vulnerability’s details
The result is a streamlined, efficient process that ensures vulnerabilities are tracked and actioned quickly, without sacrificing the critical thinking and prioritization that only analysts can provide.
Key benefits of this workflow:
Reduces manual effort and speeds up response time
Leverages threat intelligence for smarter prioritization
Ensures consistent handling of new vulnerabilities
Strengthens collaboration across security and IT teams
Boosts morale by eliminating tedious tasks
Keeps analysts in control with easy, fast approvals
Workflow overview
Tools used:
Tines – workflow orchestration and AI platform (Community Edition available)
CrowdStrike – threat intelligence and EDR platform
ServiceNow – ticketing and ITSM platform
Slack – team collaboration platform
How it works:
RSS feed collection: fetches the latest advisories from CISA’s RSS feed
Deduplication: filters out duplicate advisories
Vendor filtering: focuses on advisories from key vendors and services (e.g., Microsoft, Citrix, Google, Atlassian).
CVE extraction: identifies CVEs from advisory descriptions
Enrichment: cross-references CVEs with CrowdStrike threat intelligence for added context
Slack notification: sends an enriched vulnerability with action buttons to a dedicated Slack channel
Approval flow:
If approved, the workflow creates a ServiceNow ticket
If denied, the workflow logs the decision without creating a ticket
Configuring the workflow – step-by-step guide
The Tines Community Edition sign-up form
1. Log into Tines or create a new account.
2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.
The workflow on Tines’ drag-and-drop canvas
Adding a new credential in Tines
3. Set up your credentials
You’ll need three credentials added to your Tines tenant:
CrowdStrike
ServiceNow
Slack
Note that similar services to the ones listed above can also be used, with some adjustments to the workflow.
From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the CrowdStrike, ServiceNow, and Slack credential guides at explained.tines.com if you need help.
4. Configure your actions.
Set the Slack channel for advisory notifications (slack_channel_vuln_advisory resource).
Set your ServiceNow ticket details in the Create ticket in ServiceNow action (e.g., priority, assignment group).
Adjust vendor filtering rules if needed to match your organization’s priorities.
5. Test the workflow.
Trigger a test by pulling recent advisories from CISA, and verify that:
Slack notifications are sent with correct formatting
Approval buttons function as expected
ServiceNow tickets are created correctly upon approval
6. Publish and operationalize
Once tested, publish the workflow. Share the Slack channel with your team to start reviewing and approving advisories efficiently.
If you’d like to test this workflow, you can sign up for a free Tines account.
