Automate

Hydden Discovery's automation framework enables event-driven responses to discovered accounts, threats, and system events. By configuring providers, workflows, and triggers, organizations can automatically notify teams, create tickets, and remediate issues without manual intervention.

Overview

The automation system consists of three core components that work together to create responsive security workflows:

• Triggers: Events that initiate workflows (threat detection, collection status, data validation, classification changes, entity alerts)
• Providers: Action endpoints that execute responses (email, ServiceNow, webhooks, PAM systems)
• Workflows: Configuration that connects triggers to providers with templated payloads and filtering rules

Supported Action Types

Hydden Discovery supports multiple action providers for integration with existing security and IT operations tools:

Notification & Ticketing Actions

• Email: Send notifications via SendGrid or SMTP
  • SendGrid API integration
  • Direct SMTP server connection
  • Supports OAuth2 authentication
• ServiceNow: Create incident tickets automatically
  • Incident creation via ServiceNow Table API
  • Templated short description and description fields
  • Basic authentication support
• Webhook: Integrate with any webhook-enabled system
  • Supports GET, POST, and PUT methods
  • Custom payload templating
  • Bearer token and credential-based authentication
  • Automatic retry with exponential backoff

Remediation Actions

• Add to Vault: Automatically onboard accounts to PAM systems
  • CyberArk Privilege Cloud and Self-Hosted support
  • BeyondTrust Password Safe integration
  • Classification-triggered auto-vaulting
  • Rate-limited account creation (30 accounts/minute per collector)

Key Concepts

Event-Driven Architecture

Automation in Hydden Discovery follows an event-driven architecture:

1. Event Generation: System events (collection completion, threat detection, classification changes) are generated as structured events
2. Trigger Matching: The workflow coordinator matches events to enabled workflows based on trigger discriminators
3. Filtering: Workflows can filter events using filter options (e.g., specific threat IDs or classification rules)
4. Template Rendering: Workflow payloads are rendered using event data and available variables
5. Action Execution: The appropriate provider executes the action (send email, create ticket, vault account)
6. Approval Handling: Workflows requiring approval wait for manager sign-off before execution

Available Triggers

Hydden Discovery supports 8 trigger types across 5 categories:

Category	Triggers	Use Cases
Collection Status	Collection Succeeded, Collection Failed	Monitor data source health, alert on failures
Data Validation	Data Validation Succeeded, Data Validation Failed	Track data quality, respond to validation issues
Threat Detection	Threat Detected, Threat Resolved	Auto-response to security threats, incident creation
Classification	Classification Added, Classification Removed	Auto-vaulting, compliance workflows, tagging
Entity Changes	Entity Alert	Track account/group/owner changes (Create/Update/Delete)

Each trigger provides a set of variables (e.g., {threat_name}, {job_error}, {classification}) that can be used in workflow templates. See the Triggers topic for complete variable lists.

Workflow Filtering

Workflows can be scoped to specific events using filter options:

• Threat Detection: Filter by threatid to respond only to specific threat rules
• Classification: Filter by classificationid to trigger actions for specific classifications
• Entity Alerts: Filter by entityid and entityalerttype (Create/Update/Delete)

Template Variables

Workflow payloads support template variable substitution using {variable_name} syntax:

Subject: Threat Detected: {threat_name} on {platform}
Body: Account {name} triggered threat rule {threat_name} with a score of {score}.
Affected accounts: {accounts}

Variables are automatically populated from the triggering event. See Triggers for available variables by trigger type.

Why Configure Automation

Automation transforms Hydden Discovery from a passive monitoring platform into an active security control by enabling immediate, consistent responses to discovered accounts and threats:

• Accelerate Security Response: Automatically notify relevant teams, create tickets, or trigger remediation workflows in real-time, reducing the time between discovering a risk and taking action from hours or days to seconds.

• Ensure Consistent Enforcement: Define standardized workflows that apply consistent policies across all discovered accounts, eliminating manual process inconsistencies and human error.

• Integrate with Existing Tools: Connect Hydden to your existing security and IT operations tools—ServiceNow, PAM systems, SIEM platforms, email providers—enabling seamless integration into established workflows without replacing existing investments.

• Enable Closed-Loop Remediation: For supported PAM systems like CyberArk and BeyondTrust, automatically onboard or move accounts to vaults based on classification rules, reducing manual administrative overhead and improving privileged account security posture.

• Scale Security Operations: Replace manual triage and remediation with automated actions, enabling security teams to manage exponentially more accounts and threats with the same resources while maintaining or improving response quality.

• Maintain Audit Trails: All automated actions are logged and tracked, providing complete audit trails for compliance and forensic analysis.

Configuration Workflow

Configuring automation follows a three-step process:

1. Create Credentials: Configure credentials for action providers (email servers, ServiceNow instances, PAM vaults) in Configuration > Settings > Credentials

2. Add Providers: Configure action providers on the Providers tab with connection details and credentials

3. Create Workflows: Define workflows on the Workflows tab by selecting:

   • Trigger: The event that initiates the workflow
   • Action: The provider that executes the response
   • Payload/Configuration: Templated message content or action parameters
   • Filter Options (optional): Scope workflow to specific events
   • Approval Settings (optional): Require manager approval before execution

4. Enable Workflows: Toggle workflows to the "on" position to activate them

NOTE

A collection must be run successfully at least once before collection-related triggers can fire. Threat detection workflows require the Allow Workflow Trigger checkbox to be enabled on the threat detection rule.

Prerequisites

Before configuring automation:

• Credentials: Create credentials for action providers in Configuration > Settings > Credentials
• Network Access: Ensure Hydden Discovery can reach external systems (SMTP servers, ServiceNow instances, webhook endpoints, PAM vaults)
• Permissions: Verify service accounts have appropriate permissions (e.g., ServiceNow incident creation, PAM account management)
• Data Sources: At least one data source must be configured and successfully collected

Common Use Cases

Security Operations

• Threat Response: Automatically create ServiceNow incidents when high-risk threats are detected
• Compliance Alerting: Send email notifications when dormant privileged accounts are discovered
• SIEM Integration: Push threat events to SIEM platforms via webhook

Privileged Access Management

• Auto-Vaulting: Automatically onboard newly discovered privileged accounts to CyberArk or BeyondTrust
• Classification-Based Vaulting: Vault accounts when specific classifications are applied
• Account Lifecycle: Remove accounts from vaults when classifications are removed

Operations & Monitoring

• Collection Monitoring: Alert teams when data source collections fail
• Data Quality: Notify data stewards when data validation fails
• Change Tracking: Send notifications when critical accounts are created, modified, or deleted

Related Topics

• Triggers - Available trigger types and variables
• Providers - Configuring email providers (SendGrid, SMTP)
• Workflows - Creating and managing workflows
• Using Webhooks - Webhook integration configuration
• ServiceNow Ticket Actions - ServiceNow incident creation
• Add to Vault - PAM integration for auto-vaulting
• Threat Detection Rules - Configuring threat detection
• Classification Rules - Account classification configuration
• Credentials - Managing credentials for providers

Troubleshooting

Issue	Solution
Workflow not triggering	Verify workflow is enabled (toggle to "on"), check that trigger conditions are met, ensure threat rules have "Allow Workflow Trigger" enabled
Email not sending	Verify SMTP server settings, check credential configuration, test network connectivity to mail server
ServiceNow ticket not created	Verify endpoint URL format, check ServiceNow credentials have incident creation permissions, review ServiceNow instance logs
Webhook failing	Check webhook URL is accessible, verify authentication credentials, review webhook endpoint logs for errors
Vault integration failing	Verify PAM credentials are valid, check network access to vault system, ensure rate limits not exceeded (30 accounts/minute), confirm target safe/vault exists
Variables not substituting	Ensure variable names match available variables for trigger type (see Triggers), check template syntax uses {variable} format