Reducing manual CISA KEV analysis with automation
I built an automation pipeline to turn added CISA Known Exploited Vulnerabilities into actionable detections with little manual work.
The workflow does the following:
- Checks the CISA KEV catalog for vulnerabilities
- Gets the CVEs
- Uses Google Gemini to create Sigma detection rules
- Maps detections to the MITRE ATT&CK framework
- Sends results to Google Sheets, Slack, email and a SIEM for analysts to review
My goal was to save time on tracking KEV updates and writing detections while still having an analyst validate the results.
I documented the process, including the workflow, prompts, integrations and implementation details. If you work in detection engineering, threat hunting or threat intelligence I'd love to hear how you use CISA KEV in your environment. If you've automated any part of it.
Blog link in the comments.