Tines Workflows that provide a CrowdStrike Host Report with vulnerabilities on the CISA Known Exploited Vulnerabilities Catalog.
View the Project on GitHub AutomateSecOps/CISA-KEV-Catalog-CrowdStrike
Security teams drown in vulnerability data.
Tens of thousands of CVE IDs are published every year, and your CrowdStrike Spotlight dashboard is probably no different — a long tail of findings ranked by CVSS score, severity label, or whatever your scanner vendor decided mattered most this quarter.
But CVSS scores don’t tell you what’s being weaponized right now. The CISA Known Exploited Vulnerabilities (KEV) catalog does.
The KEV is a curated list maintained by the Cybersecurity and Infrastructure Security Agency of CVE IDs that have confirmed, active exploitation in the wild.
It’s not theoretical risk.
It’s real-world attack surface.
And if a host in your environment has an open vulnerability that’s on that list, that’s where your patching energy should go first.
The challenge? Cross-referencing the CISA KEV against your CrowdStrike Spotlight data every week is a manual chore.
This Tines story eliminates that chore.
The CISA-KEV-CrowdStrike-Hosts story runs on a schedule and produces a weekly CSV report of every CrowdStrike-managed host in your environment that has an open vulnerability matching a CVE ID on the CISA KEV catalog. It enriches each finding with ransomware campaign association data, internet exposure status, asset criticality, CISA remediation due dates, and more — then writes each result to a Tines Record and emails the full report as a CSV attachment.
The output gives your team a clear, actionable list: these specific hosts, these specific CVEs, patch by this date.
I hope you find this useful.
Happy Building!
Tom
This post was drafted with AI assistance based on the author’s story design and technical notes.