Posted on Mar 6th, 2016 by Ohad Ramot

I'd like to share some technical tips with you about network security change automation. As the R&D leader of Tufin Orchestration Suite's SecureChange platform, I've had the opportunity on a technical level to see it put to work for our customers. All have complex enterprise networks, and some have IT service management and ticketing tools already in place.

SecureChange offers a rich set of tools that allow you to customize and integrate with external systems and processes. Our users often use these tools to integrate with their enterprise ticketing systems such as BMC Remedy and ServiceNow or to enrich the ticket with external data sources.

When You Should Consider Triggering Custom Scripts Automatically

There's an interesting feature of SecureChange that enables you to trigger custom scripts automatically, based on SecureChange internal events (hooks).

For example:

  • To perform a vulnerability assessment for the servers in the access request and embed the results back into a field in the ticket.
  • To update an external system that performs KPI calculations based on information from change tickets.

The customized script (or executable) can be developed in any programming or scripting language so you can use your favorite language: perl, python, bash or even Java.

How Does It Work?

When spawning the script, SecureChange passes some essential information about the ticket through the standard input stream. This data, passed as XML, enables the script to be aware of its triggering context. It contains the ticket ID, its current step within the ticket's workflow, the ticket creation time and subsequent update dates, the name of the requester, the current ticket handler and more.

The ticket ID and current step ID are actually sufficient to retrieve any additional information through Tufin's REST APIs, however, the system also provides the XML stream as an alternative.

For example: Calling this API will retrieve the entire data about ticket #3 as json:


For detailed API documentation see https://<your-securechange-server>/securechangeworkflow/apidoc.

Custom scripts can be triggered upon the following events (hooks) in the ticket lifecycle: create, close, cancel, reject, advance to next step, redo, resubmit and reopen. The actual event that triggered the script is available through the environment parameter SCW_EVENT.

Watch this animated gif and learn more about how to configure a script that can be triggered automatically on the desired “advance to next step” event for network security changes.

Calling a script from SecureChange


Click image to enlarge Please join our Developer Community to discuss any related questions and share your success stories. Enjoy!