I am attempting to take alert output from a workflow (posts description of a vulnerability either as a ticket or into a Teams chat) and run a scan with IVM so that we can create a ticket based on the individual CVE and not a huge batch of tickets per asset that happen to be effected by the CVE.
Alert > Scrape CVE > Severity threshold > Post CVE to Teams (OR send to SNOW for a ticket per CVE per asset alerted) > Vuln lookup enrichment in IVM > Post enrichment to Teams.
Alert > Scrape CVE > Severity Threshold > Lookup CVE with IVM (Or Recorded Future/VT/NIST/etc.) Scan organization assets for CVE > Post assets with Vuln to Teams > Create a SNOW ticket with the CVE as subject and list of assets affected in description.
So far, I am able to get the CVE title sent to Teams and have the trigger (!lookup-vuln) set in the post so it automatically lookups the Vuln within Teams via another workflow.
Which is good but the biggest issue is that our Patching/Vuln policy for tickets requires it to be listed by CVE as well as include as much info as possible on the CVE. Ideally they include a solution link because the Service Desk will not go searching for the patch.
Any help would be appreciated!