Overview
Nucleus uses a rules-based system to enable you to automate various tasks in your environment. Ticketing rules are one of the main ways to automate creating tickets in external tools from Nucleus, and keep your tickets in sync with your Nucleus source of truth. As data flows into Nucleus from vulnerability scanners, the ticketing automation rules tell Nucleus to create tickets in external issue tracking tools automatically.
This enables you to predefine the vulnerabilities that should go to specific external ticketing systems where you already manage your remediation, automating many of the administrative processes associated with Vulnerability Management workflows.
Optionally, Nucleus can also automatically close tickets in external systems when the vulnerability has been remediated in Nucleus.
Note
Ticketing rules will apply to ALL vulnerability instances in your Nucleus console that match the ticketing rule criteria, not just NEW vulnerabilities.
⚠️ Case Sensitivity
When using exact match conditions (e.g., “is,” “is not,” or “equals”), case sensitivity is required.
For example, if your rule condition is set to match the value Production, it will not match production or PRODUCTION.
Creating Ticketing Rules in the Nucleus UI
To create a new ticketing automation rule in Nucleus console:
Select your project, then navigate to the Automation section from the left navigation panel.
Select the Ticketing & Issue Tracking tab.
Click the + Add Rule button.
On the Rule Details tab:
Enter a Rule Name that describes the rule, how it is used, and the parameters that trigger this rule. This rule name will be included in some of the notifications.
For example: "Ticket to SOC For New Critical Vulnerabilities on Business Critical Firewalls".Under Vulnerability Criteria, specify the criteria used to trigger the rule.
For example: “Ticket all vulnerabilities with a Critical or High severity and are Exploitable”:.png)
Under Asset Criteria, specify the asset-related criteria. Asset criteria enable you to define a subset of assets that should be affected by this rule (and consequently have a ticket created).
For example: “Only ticket assets with External Network Exposure AND a Business Criticality of Critical”:.png)
NOTE: When multiple Asset Criteria are defined, selecting Any Criteria instead of All Criteria causes tickets to get created if ANY criteria is met. In the example above, tickets would be created if an asset’s Network Exposure is External, OR if it’s Business Criticality is Critical.
For a complete list of available criteria, see the Vulnerability and Asset Criteria Reference section below.When finished defining Vulnerability and Asset Criteria, click Next.
On the External System tab:
Select the System to create tickets in from the list of configured Ticketing connectors.
Depending on the type of Ticketing connector, you will be presented with options for specifying details like which Project in Jira to write to and what content to include in tickets. Review the documentation for the specific connector you are creating to learn more about the options and features available.After configuring options, click Next.
On the Advanced Settings tab:
Check Enable Nucleus Bot Comments to have Nucleus automatically add comments on tickets for events like the finding being remediated on specific assets or discovered on additional assets.
Check Enable auto-close of tickets to have tickets automatically close when all finding instances associated with the ticket have been remediated.
Depending on the connector, you may be required to select which Closed state on tickets to use when auto-closing.
By default, connectors are configured to not close tickets for temporary status changes that have an expiration date. This allows tickets to remain open for visibility and for scenarios where you don’t want to impact SLA tracking in the external system. Disabling this option will auto-close tickets with a temporary closed state and create a New ticket when the status expires and the vulnerability is active again.
To run the ticketing rule immediately for vulnerabilities already ingested into Nucleus, check the Run this rule on save option. Otherwise, the rule will be triggered the next time data is ingested that matches the specified criteria. You can also use the Run now button under Actions from your list of Ticketing rules to process the rule on demand.
Click Save & Finish.
The rule is now saved and will appear in your Ticketing rules list. Repeat with as many automation rules as you need to start automating your vulnerability management ticketing workflows!
Vulnerability and Asset Criteria Reference
Vulnerability Criteria
Condition | Description | Field Type |
|---|---|---|
Assigned Team | Filter by the team assigned to the finding | Tag/multi-select (teams). Qualifiers: is assigned, is unassigned, is one of, is none of |
Assignee | Filter by the user assigned to the finding | Tag/multi-select (project users). Qualifiers: is assigned, is unassigned, is one of, is none of |
CISA KEV Vulnerability | Indicates whether the vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) catalog | Boolean: Yes, No |
CVE | Filter by one or more CVE identifiers | Tag/multi-select (free-entry). Qualifiers: contains, is any of, is all of |
CVE Exists | Indicates whether the finding has an associated CVE | Boolean: Yes, No |
CVSS Score | Filter by CVSS base score (0.0–10.0) | Numeric. Qualifiers: greater than, less than, equals, range |
EPSS Score | Filter by EPSS probability score (0.0–1.0) | Numeric. Qualifiers: greater than, less than, range |
Finding Package | Filter by the package the finding is associated with | Tag/multi-select (free-entry). Qualifier: is one of |
Finding Package Fix Versions | Filter by the fix versions reported for the package | Text. Qualifier: contains |
Finding Package Version | Filter by the affected package version | Text. Qualifier: contains |
Nucleus Actors | Threat actors associated with the vulnerability | Tag/multi-select (free-entry). Qualifiers: is any of, is all of, is none of |
Nucleus Ease of Exploitation | Indicates the assessed ease of exploitation | Dropdown: Very Easy, Easy, Moderate, Hard, Very Hard. Qualifiers: is one of, is none of |
Nucleus Exploit Weaponized | Indicates whether a weaponized exploit is available | Boolean: Yes, No |
Nucleus Exploitation Consequence | Indicates the assessed consequence of successful exploitation | Dropdown: Code Execution, Unauthorized Access, Command Execution, Privilege Escalation, Data Exfiltration, Denial of Service, Service Disruption. Qualifiers: is one of, is none of |
Nucleus Exploited | Indicates whether the vulnerability has been exploited | Boolean: Yes, No |
Nucleus Exploited by Malware | Indicates whether the vulnerability has been exploited by malware | Boolean: Yes, No. Qualifiers: is, exists, does not exist |
Nucleus Exploited by Ransomware | Indicates whether the vulnerability has been exploited by ransomware | Boolean: Yes, No |
Nucleus Fix Available | Indicates whether a fix is available | Boolean: Yes, No |
Nucleus Impacts OT | Indicates whether the vulnerability impacts operational technology | Boolean: Yes, No |
Nucleus Likely to be Exploited | Indicates whether Nucleus assesses the vulnerability is likely to be exploited | Boolean: Yes, No |
Nucleus Malware | Malware associated with the vulnerability | Tag/multi-select (free-entry). Qualifiers: exists, does not exist, is any of, is all of, is none of |
Nucleus Mitigation Available | Indicates whether a mitigation is available | Boolean: Yes, No |
Nucleus Patch Available | Indicates whether a patch is available | Boolean: Yes, No |
Nucleus Private Exploit Available | Indicates whether a private exploit is available | Boolean: Yes, No |
Nucleus Public Exploit Available | Indicates whether a public exploit is available | Boolean: Yes, No |
Nucleus Remote Exploitation | Indicates whether the vulnerability is remotely exploitable | Boolean: Yes, No |
Nucleus Risk Score | Filter by the Nucleus-calculated risk score (0–1000) | Numeric. Qualifiers: greater than, less than, equals, range |
Nucleus Threat Rating | Indicates the Nucleus-assigned threat rating | Dropdown: Existential, Critical, High, Medium, Low. Qualifiers: is one of, is none of, exists, does not exist |
Nucleus Widely Exploited | Indicates whether the vulnerability is widely exploited | Boolean: Yes, No |
Nucleus Zero Day | Indicates whether the vulnerability is currently a zero-day | Boolean: Yes, No |
Nucleus Zero Day Previously | Indicates whether the vulnerability was previously a zero-day | Boolean: Yes, No |
Source | Filter by scan source/finding source | Tag/multi-select (free-entry). Qualifier: is one of |
Vulnerability Description | Filter by text contained in the vulnerability description | Text. Qualifier: contains |
Vulnerability Discovered | Filter by number of days since the vulnerability was discovered | Numeric (# of days, max 4000). Qualifiers: greater than, less than |
Vulnerability Exploitable | Filter by exploitable flag | Dropdown: Exploitable, Not Exploitable. Qualifier: is |
Vulnerability Name | Filter by text contained in the vulnerability name | Text. Qualifier: contains |
Vulnerability Path | Path component reported with the finding (e.g., file/URL/package path) | Text. Qualifier: contains |
Vulnerability Severity | Filter by vulnerability severity | Dropdown: Critical, High, Medium, Low, Informational. Qualifier: is one of |
Vulnerability Solution | Filter by text contained in the recommended solution | Text. Qualifier: contains |
Vulnerability Status | Filter by finding status | Tag/multi-select (statuses). Qualifier: is one of |
Vulnerability Type | High-level vulnerability classification | Dropdown: OS, Application, Hardware. Qualifiers: is any of, is none of, does not exist |
Asset Criteria
Condition | Description | Field Type |
|---|---|---|
All | Default behavior when no asset criteria is entered. The rule matches every asset. | All |
App Name | Filter by application name. | Text field with exact matching, wildcard matching, or full regex matching |
Asset Group | Create tickets only for assets that are in (or not in) the selected asset groups. | Searchable dropdown. Qualifiers: is in all of, is in any of, is in none of, is, is not, is empty, is not empty |
Asset Name | Create tickets for all assets that match a certain name or naming convention. | Textfield with exact matching, wildcard matching, or full regex matching |
Asset Type | Create tickets for all assets of a specific type. | Dropdown. Qualifiers: is one of, is none of |
Branch | Filter by application branch. | Text field. Qualifiers: is, is not |
Business Criticality | Filter by the asset's business criticality rating. | Dropdown: Critical, High, Moderate, Low. Qualifiers: is one of, is none of |
Business Owner | Search for and select any user in the current Nucleus project. | Search field or text field with dynamic matching ( |
Business Owner Team | Search for and select any team in the current Nucleus project. | Search field or text field with dynamic matching ( |
CI Alias | Filter container images by alias. | Text field with exact matching, wildcard matching, or full regex matching |
CI Digest | Filter container images by digest. | Text field with exact matching, wildcard matching, or full regex matching |
CI ID | Filter container images by ID. | Text field with exact matching, wildcard matching, or full regex matching |
CI Platform Arch | Filter container images by CPU architecture. | Dynamic dropdown. Qualifiers: is one of, is none of, is empty, is not empty |
CI Platform Arch Features | Filter container images by CPU architecture features. | Text field with exact matching, wildcard matching, or full regex matching |
CI Platform Arch Variant | Filter container images by CPU architecture variant. | Text field with exact matching, wildcard matching, or full regex matching |
CI Platform OS | Filter container images by operating system. | Dynamic dropdown. Qualifiers: is one of, is none of, is empty, is not empty |
CI Platform OS Features | Filter container images by operating system features. | Text field with exact matching, wildcard matching, or full regex matching |
CI Platform OS Version | Filter container images by operating system version. | Text field with exact matching, wildcard matching, or full regex matching |
CI Registry | Filter container images by registry. | Text field with exact matching, wildcard matching, or full regex matching |
CI Repository | Filter container images by repository. | Text field with exact matching, wildcard matching, or full regex matching |
CI Tag | Filter container images by tag. | Text field with exact matching, wildcard matching, or full regex matching |
Compliance Scope | Filter by the asset's compliance scope. | Dropdown: In-Scope, Out-of-Scope. Qualifier: is |
Custom Fields | Create tickets for assets matching a custom asset field. | Text field with exact matching, wildcard matching, or full regex matching |
Data Sensitivity | Filter by the asset's data sensitivity rating. | Dropdown: Critical, High, Moderate, Low, Unknown. Qualifiers: is one of, is none of |
Description | Filter by the asset description or notes. | Text field with exact matching, wildcard matching, or full regex matching |
End of Life (EOL) | Filter by the asset's end-of-life status. | Numeric field (days). Qualifiers: is EOL, is not EOL, within |
Host Name | Filter by the asset's host name. | Text field. Qualifiers: is, is not |
IP | Create tickets for assets with a specific IP, IP range, or comma-separated list of IPs. | IP field |
Language | Filter by application language. | Text field with exact matching, wildcard matching, or full regex matching |
Location | Filter by the asset's location. | Text field with exact matching, wildcard matching, or full regex matching |
MAC Address | Filter by the asset's MAC address. | Text field with exact matching, wildcard matching, or full regex matching |
Network Exposure | Filter by the asset's network exposure. | Dropdown: Internal, External. Qualifiers: is, is not |
Operating System | Filter by the asset's operating system. | Text field with exact matching, wildcard matching, or full regex matching |
Repository Type | Filter by application repository type. | Dropdown: git, svn, cvs. Qualifiers: is one of, is none of |
Repository URL | Filter by application repository URL. | Text field with exact matching, wildcard matching, or full regex matching |
Source | Filter by the asset's source or scan type. | Text field. Qualifiers: is, is not |
Support Team | Search for and select any team in the current Nucleus project. | Search field or text field with dynamic matching ( |
Create tickets for all assets which match a custom asset field | Textfield with exact matching, wildcard matching, or full regex matching |
Custom Asset Fields
Nucleus allows you to import custom metadata fields for all assets from either external systems such as ServiceNow CMDB, API, or asset csv upload. You can use these fields in all asset matching and ticketing rules for maximum flexibility.
Creating Webhooks in Ticketing Automation rules
When selecting Webhook:
Enter the Webhook URL where vulnerability data should be sent (required)
Configure Basic Auth Settings (optional) if your endpoint requires authentication:
Username: Enter the username for basic authentication
Password: Enter the password for basic authentication
.png)
The webhook integration sends formatted vulnerability data to your specified endpoint whenever vulnerabilities match your rule criteria. This allows you to:
Connect to custom ticketing systems not supported by built-in connectors
Trigger custom workflows in your organization's automation platforms
Export vulnerability data to security dashboards or analytics platforms
When using webhooks, ensure your receiving endpoint can handle the expected volume of data, especially when using "Run this rule on save" with large datasets.
You can also use https://webhook.site/ as a test endpoint for functionality review.
For webhook connections to Jira specifically, refer to our Jira Ticketing Integration documentation for additional configuration steps.
Creating Ticketing Rules via the API
Refer to the API docs for your instance to try it out and start automating vulnerabilities at scale!
With the API, you can do the following:
Create a new ticketing automation rules.
Update existing ticketing automation rules.
Get the details existing ticketing automation rules.
Get a list of all ticketing automation rules that have been created.
Questions about Nucleus Automation Workflows? Contact support here and we'll be happy to help you out!