Automation Examples | Cybersecurity

Security Automation Philosophy

Security automation differs fundamentally from general IT automation. The consequences of missed vulnerabilities, SLA breaches, or compliance gaps extend beyond operational inconvenience to potential data breaches, regulatory fines, and reputational damage.

Defense in depth - Multiple validation points, no single point of failure
Audit trail - Every automated action logged with full context
SLA-driven urgency - Remediation windows based on risk, not convenience
Escalation paths - Clear ownership at every level

Prerequisites: JSM Assets Premium or Enterprise license, Global automation rule permissions, familiarity with AQL syntax, and understanding of Cybersecurity Schema v1.0 object types (Security Asset, Vulnerability, Security Control, Risk, Compliance Requirement).

Scanner Import Automation

Vulnerability scanner integration is the foundation of security automation. Manual vulnerability entry does not scale and introduces unacceptable latency between detection and response.

SI-01: Tenable Vulnerability Import

Webhook Trigger High Priority Real-time

Receive vulnerability findings from Tenable.io via webhook and create or update Vulnerability objects with proper asset correlation and SLA calculation.

Tenable Field Mapping:

Tenable Field	Schema Attribute	Transformation
plugin.name	Name	Direct mapping
plugin.cve	CVE ID	Extract first CVE
severity	Severity	4=Critical, 3=High, 2=Medium, 1=Low
plugin.cvss3_base_score	CVSS Score	Direct mapping
asset.fqdn	Affected Asset lookup	Match by FQDN, fallback to IP

Asset Resolution AQL:

objectType = "Security Asset" AND (FQDN = "{asset.fqdn}" OR "IP Address" = "{asset.ipv4}")

Deduplication Check:

objectType = "Vulnerability" AND "Scanner Plugin ID" = "TEN-{plugin.id}" AND "Affected Asset" = "{resolved_asset_key}"

SI-02: Multi-Scanner Deduplication

Pre-Import Check Medium Priority

When multiple scanners detect the same vulnerability, prevent duplicate records while maintaining scanner-specific metadata.

Pre-Import AQL Check:

objectType = "Vulnerability" AND "CVE ID" = "{incoming_cve}" AND "Affected Asset" = "{asset_key}" AND "Remediation Status" IN ("Open", "In Progress")

Deduplication Logic:

If existing record found with same CVE + Asset: Update Discovery Date, append scanner to notes
If no CVE available: Create per-scanner records using Scanner Plugin ID
Use scanner prefixes for differentiation: TEN-, QID-, R7-

Remediation SLA Automation

SLA automation ensures vulnerabilities are addressed within risk-appropriate timeframes and provides visibility when deadlines approach or breach.

RS-01: SLA Calculation on Creation

Object Created Trigger High Priority

Automatically calculate and set Remediation Due date when vulnerabilities are imported based on severity and asset criticality.

SLA Matrix:

Severity	Critical Asset	High Asset	Medium Asset	Low Asset
Critical	1 day	3 days	7 days	14 days
High	3 days	7 days	14 days	30 days
Medium	7 days	14 days	30 days	60 days
Low	14 days	30 days	60 days	90 days

Asset Criticality Lookup:

objectType = "Security Asset" AND Key = "{{object.Affected Asset.Key}}"

RS-02: SLA Breach Notification

Scheduled - Every 4 hours High Priority

Alert security operations and asset owners when vulnerability remediation SLAs are breached.

AQL Query:

objectType = "Vulnerability" AND "Remediation Status" = "Open" AND "Remediation Due" < now()

Escalation Path:

Days Overdue	Action
0-1 days	Email to Assigned To and Owning Team
2-3 days	Email to Asset Owner and Department Head
4-7 days	Email to CISO, create escalation ticket
7+ days	Executive dashboard visibility, formal risk acceptance required

Email Template:

Subject: SLA BREACH: {{lookupObjects.size}} Vulnerabilities Overdue on {{asset.Name}} The following vulnerabilities have exceeded their remediation SLA: {{#lookupObjects}} - {{Name}} ({{Severity}}) - Due: {{Remediation Due}} CVE: {{CVE ID}} Assigned: {{Assigned To.Name}} {{/}} Immediate action is required. These vulnerabilities will be escalated to Security Leadership if not addressed within 24 hours.

RS-03: SLA Warning (Pre-Breach)

Scheduled - Daily 09:00 Medium Priority

Provide advance warning before SLA breach to enable proactive remediation.

Critical vulnerabilities due within 24 hours:

objectType = "Vulnerability" AND "Remediation Status" = "Open" AND Severity = "Critical" AND "Remediation Due" < now(24h) AND "Remediation Due" > now()

High vulnerabilities due within 48 hours:

objectType = "Vulnerability" AND "Remediation Status" = "Open" AND Severity = "High" AND "Remediation Due" < now(48h) AND "Remediation Due" > now()

Risk Management Automation

Risk automation ensures systematic review cycles, escalation for high-impact risks, and accountability tracking.

RM-01: Risk Review Scheduling

Scheduled - Weekly Monday 08:00 Medium Priority

Automatically schedule and notify risk owners when risk reviews are due based on risk score.

Review Cadence by Risk Score:

Risk Score Range	Review Frequency	Notification Lead Time
20-25 (Critical)	Monthly	7 days before
12-19 (High)	Quarterly	14 days before
6-11 (Medium)	Semi-annually	21 days before
1-5 (Low)	Annually	30 days before

Query (Critical risks due for review):

objectType = "Risk" AND "Risk Score" >= 20 AND Status IN ("Open", "In Treatment") AND "Review Date" < now(7d)

RM-02: Risk Acceptance Expiration

Scheduled - Daily 09:00 High Priority

Alert when accepted risks reach their acceptance expiration date and require re-evaluation.

AQL Query:

objectType = "Risk" AND Status = "Accepted" AND "Review Date" < now()

Actions:

Change Status from "Accepted" to "Open"
Send notification to Risk Owner
Add to CISO weekly risk report

Compliance Automation

Compliance automations ensure assessment schedules are maintained, evidence is current, and gaps are identified proactively.

CA-01: Compliance Assessment Reminder

Scheduled - Weekly Monday 09:00 Medium Priority

Notify compliance owners when scheduled assessments are approaching.

Requirements due within 30 days:

objectType = "Compliance Requirement" AND "Compliance Status" != "Not Assessed" AND "Next Assessment" < now(30d) AND "Next Assessment" > now()

Email Template:

Subject: Compliance Assessments Due: {{lookupObjects.size}} Requirements Hi {{owner.Name}}, The following compliance requirements are due for assessment: {{#lookupObjects}} - {{Requirement ID}}: {{Name}} Framework: {{Framework}} Current Status: {{Compliance Status}} Assessment Due: {{Next Assessment}} {{/}} Please schedule time to: 1. Validate control effectiveness 2. Update evidence documentation 3. Record assessment findings 4. Set next assessment date

CA-02: Compliance Gap Detection

Scheduled - Weekly Tuesday 08:00 High Priority

Identify compliance requirements without adequate control coverage and alert the compliance team.

Requirements without mapped controls:

objectType = "Compliance Requirement" AND "Compliance Status" IN ("Partial", "Non-Compliant") AND "Mapped Controls" is EMPTY

Requirements with controls but still non-compliant:

objectType = "Compliance Requirement" AND "Compliance Status" = "Non-Compliant" AND "Mapped Controls" is NOT EMPTY

Security Asset Lifecycle Automation

Security asset automations maintain inventory accuracy and trigger appropriate workflows for asset status changes.

AL-01: Stale Asset Detection

Scheduled - Daily 06:00 Medium Priority

Identify security assets not seen by discovery tools within expected timeframes, indicating potential decommissioning, agent failure, or shadow IT.

Active assets not seen in 30 days:

objectType = "Security Asset" AND Status = "Active" AND "Last Seen" < now(-30d)

Active assets without discovery source:

objectType = "Security Asset" AND Status = "Active" AND "Discovery Source" is EMPTY

AL-02: Asset Decommission Workflow

Object Updated Trigger High Priority

When an asset status changes to "Decommissioned", trigger cleanup workflows to close open vulnerabilities and update compliance scope.

Trigger:

Object updated - Security Asset - Status changed to "Decommissioned"

Query open vulnerabilities:

objectType = "Vulnerability" AND "Affected Asset" = "{{object.Key}}" AND "Remediation Status" IN ("Open", "In Progress")

Actions:

Update all open vulnerabilities to "Remediated" with note "Asset decommissioned"
Notify Compliance team of scope change
Update risks referencing this asset

Automation Schedule Summary

Real-Time Automations

Automation	Trigger	Priority
Scanner Import (Tenable/Qualys/Rapid7)	Webhook	High
SLA Calculation	Vulnerability Created	High
Asset Decommission Workflow	Status Changed	High

Daily Automations

Automation	Time	Priority
Stale Asset Detection	06:00	Medium
SLA Warning (Pre-Breach)	09:00	Medium
Risk Acceptance Expiration	09:00	High

Scheduled (4-hour intervals)

Automation	Times	Priority
SLA Breach Notification	06:00, 10:00, 14:00, 18:00	High

Weekly Automations

Automation	Day/Time	Priority
Risk Review Scheduling	Monday 08:00	Medium
Compliance Assessment Reminder	Monday 09:00	Medium
Compliance Gap Detection	Tuesday 08:00	High
Critical Asset Ownership Validation	Wednesday 08:00	Medium

Troubleshooting

Scanner Import Issues

Issue	Cause	Solution
Vulnerabilities not linked to assets	FQDN mismatch or asset not in inventory	Standardize FQDN format, implement fuzzy matching
Duplicate vulnerabilities after each scan	Missing deduplication key	Ensure Scanner Plugin ID is populated
Wrong CVSS scores	Field mapping error	Verify cvss3_base_score field mapping

Common AQL Syntax Errors

Incorrect	Correct
`objectType = Vulnerability`	`objectType = "Vulnerability"`
`Status == "Open"`	`Status = "Open"`
`"Discovery Date" < now - 7d`	`"Discovery Date" < now(-7d)`
`Severity in (Critical, High)`	`Severity IN ("Critical", "High")`

Previous Document

Forms Specification

Back to Template

Cybersecurity Overview

Cybersecurity Automation Examples

Security Automation Philosophy

Scanner Import Automation

SI-01: Tenable Vulnerability Import

Tenable Field Mapping:

Asset Resolution AQL:

Deduplication Check:

SI-02: Multi-Scanner Deduplication

Pre-Import AQL Check:

Deduplication Logic:

Remediation SLA Automation

RS-01: SLA Calculation on Creation

SLA Matrix:

Asset Criticality Lookup:

RS-02: SLA Breach Notification

AQL Query:

Escalation Path:

Email Template:

RS-03: SLA Warning (Pre-Breach)

Critical vulnerabilities due within 24 hours:

High vulnerabilities due within 48 hours:

Risk Management Automation

RM-01: Risk Review Scheduling

Review Cadence by Risk Score:

Query (Critical risks due for review):

RM-02: Risk Acceptance Expiration

AQL Query:

Actions:

Compliance Automation

CA-01: Compliance Assessment Reminder

Requirements due within 30 days:

Email Template:

CA-02: Compliance Gap Detection

Requirements without mapped controls:

Requirements with controls but still non-compliant:

Security Asset Lifecycle Automation

AL-01: Stale Asset Detection

Active assets not seen in 30 days:

Active assets without discovery source:

AL-02: Asset Decommission Workflow

Trigger:

Query open vulnerabilities:

Actions:

Automation Schedule Summary

Real-Time Automations

Daily Automations

Scheduled (4-hour intervals)

Weekly Automations

Troubleshooting

Scanner Import Issues

Common AQL Syntax Errors