Where Simple Meets Extendable in the World of Automation


“Hi, I haven’t been scanned in 3 weeks.”

“Make sure I have the right software installed.”

Syxsense Cortex™ does the talking for you. When it talks back down to the device to say—it looks if you need new content in real-time. (Or, if you’ve built a custom policy, maybe it checks every week, once a month, or every few minutes.) 

Today we’re going to show you how to build enforcement policies using the Cortex automation and orchestration engine. 

It doesn’t matter how many tasks or processes you need in a workflow. Whether they’re intricate or two steps, automation handles the repetitiveness of coding it yourself.

The extendable nature means you control the adaptability and scalability. 

This post covers:

  1. How to check if your devices have disk space.
  2. An easier way to patch cloud.
  3. How extendable automation helps you with harder, larger projects.
  4. What a more advanced patching scenario looks like.

All are day-to-day operations that can be made with more agility in mind. 

How to Automate Checking Device Disk Space

It’s as simple as telling Cortex to look for disk space.

Let’s say anything more than 10 gigabytes is healthy—less than 5 GB is in a critical state.

Syxsense Cortex workflow to check disk space on a device.

If you have low disk space, you want to consider cleaning up that device. But now, you don’t need to write code, or any complex logic using Powershell or bash to do that.

You can grab these three easy moves and drop them right into the Syxsense console.

Syxsense Cortex workflow showing how to easily cleanup disk space

What do you want to clean out? 

Check the boxes and that work is carried out on the endpoint. 

Right now, we can just clean out some save folders. 

(Warning: Sometimes people put important documents in the recycle bin for reasons, so we won’t clean out that)

Sometimes you can save up to 20 or 30 gigabytes of disk space just with the content you’re managing. 

If the device is in a critical state, you’re going to evaluate it, fix it—and if you can’t can’t—you can use your existing ticketing service to submit a ticket (Hubspot, Freshdesk, etc.)

Send an email—”Hey, we spotted some issues, and took a swing at fixing them, but ran into a snag with the deployment. Here’s an email filling you in on what’s up with the device.”

An Easier Way to Patch Cloud

Not all automation should be applied to all assets. 

For example, let’s say that you have a cloud environment with a bunch of Linux servers. It wouldn’t make sense to have your laptop patching policy or your desktop antivirus policy assigned to all assets including cloud.

You’d probably want to narrow that down and say, “Hey, let’s just do vulnerability scanning and patching for the cloud endpoints.”

Let’s look at this “Customer A Cloud” workflow, which runs every month on the first Saturday of the month, during whatever time zone that endpoint appears to be in.

  1. Drag over and deploy your patch scanner. Look for any patches that need to be deployed.
  2. Check to see if any reboots are going to be triggered off of that. (*Note: There are cloud servers that are probably providing services that matter it would be irresponsible to just simply perform the reboot, so instead we’re going to have some logic here.)
  3. Send an approval. This is going to someone’s email address, but it’s not just a notification. It’s going to present them with an option to either approve or deny action, so again—we’re going to do tickets.
  4. Put in the name of the device. Select reboot or not. Give them two hours. They now have two hours to respond to the prompt. 

Since these are servers in a cloud environment, we don’t need to notify anyone, so we’ll just move forward with that deployment. 

There’s still some strategy left over around choosing assets and deploying the work.

After all, automation is only as good as the strategy and people backing it.

So, before you run that workflow, you’ll also build a policy.

Syxsense Cortex workflow to patch from the cloud.

Now you have a full process in place that’s going to check to see if there are patches required, deploy whatever it finds, check for a reboot, and if necessary, send out a notice to an admin asking them for permission to do the work. (If they approve it then a reboot happens on that server.)

How Extendable Automation Helps You With Harder, Larger Projects

What if you’re tackling more complex, larger projects that require combining heaps of smaller pieces?

Option 1) You could create policies for simple, straightforward tasks. Then you have a bunch of policies that cover various requirements — a method many of our clients use successfully today.

Option 2) Enter Cortex sequences, the orchestration complement to Cortex automation. You set up automation in Cortex, then use our sequencer to orchestrate it across multiple environments. You could specify, “For these two devices, do this Cortex workflow.”

Then, pick another pair of devices for the same workflow or something slightly different. You can even generate a report sent to your mailbox, summarizing the completed work. In our reporting system, you can check out patches that are missing, CVEs that need attention, and the device count tied to each vulnerability. 

It’s a comprehensive view of assessing risk, knowing what devices are healthy or unhealthy, and being able to asses these trends over time. 

Syxsense sample report of detected security vulnerabilities

More Complex Patching Against Your Environment

In this setup, we’re rolling out multiple applications to your environment, making sure firewall policies are in place, patching is enforced, conducting vulnerability scanning, and checking if BitLocker is enabled.

Syxsense Cortex complex workflow - endpoint provisioning

Here’s the rundown: First, we check if the firewall is enabled. If not, it’s enabled. Next, we inspect BitLocker’s status. If it’s not turned on, we initiate deployment.

Now, onto software installation. 

In this case, we’ve got it deploying Google Chrome, straight from our pre-built software library. Feel free to choose from over 3,000 packages in our application library. Here, we’re opting for the latest Chrome version and adding Google Drive, CrowdStrike, and Teams.

We don’t stop there—we check for critical patches, along with a vulnerability scan against configuration compliance. If anything is incorrectly provisioned or doesn’t work, it automatically submits a ticket over to the help desk, keeping the team in the loop.

It’s really important, that in the world of automation, you want to be able to create idempotent work that will reevaluate and re-conform a device to a standard. 

Today, many rely on code or platforms to transition from a base state to a compliance state for their organization.

But then they’re reluctant to re-run workflows because they don’t want to break or disrupt anything if they try to deploy it again.

That problem doesn’t come up using Syxsense. 

Each of these items can and should be executed independently, so you can deploy it once a day, or once a week, and it automatically does the work.

If CrowdStrike is already installed, fantastic—it moves on to the next task. If it’s installed but not updated; we’ll deploy the latest version of the platform.

We constantly evaluate the endpoints to make sure they conform to the standard that your team requires them to be if they’re not that’s okay we just push it to the latest and greatest.

If your mind is churning with your own automation and endpoint challenges, the Syxsense team are always here to walk you through how automation and orchestration can make your life easier while protecting your organization. Book a demo today to hear how we can help solve those challenges.