Monthly security review report

On the first of every month, pull incident, SOC, SIEM and vulnerability data from Qualys, Microsoft Defender, Sentinel, ServiceNow and Jira, let a security analyst agent synthesize it into prioritized actionables, and deliver the report to Teams and email - automatically, with a full audit trail.

What you'll build

This Flow is a scheduled, fan-out / fan-in pipeline. One trigger kicks off five parallel data collectors - one per security tool - which all feed a single security-analyst agent. The agent correlates and prioritizes the findings, a Report node assembles the deliverable, and two final steps push it to Teams and email. The finished graph looks like this.

The Monthly security review report Flow on the canvas: a trigger fanning out to five HTTP Request collectors (Qualys, MS Defender, Sentinel, ServiceNow, Jira), converging on a security analyst agent, then a report, then Post to Teams and Email report.
The finished Flow on the canvas. The trigger fans out to five data collectors (one per tool), which converge on the security-analyst agent. The report then fans out to the Teams and email delivery steps.

The pipeline at a glance

Trigger (1st of month, 0 6 1 * *)
   ├──▶ Qualys — vulnerabilities   (HTTP Request) ┐
   ├──▶ MS Defender — endpoints    (HTTP Request) │
   ├──▶ Sentinel — SIEM alerts     (HTTP Request) ├──▶ Security analyst
   ├──▶ ServiceNow — incidents     (HTTP Request) │      synthesis (Agent)
   └──▶ Jira — security tickets    (HTTP Request) ┘             ▼
                                                  Monthly review report (Report)
                                                        ├──▶ Post to Teams (HTTP Request)
                                                        └──▶ Email report  (HTTP Request)

The building blocks

Flows are assembled from a fixed palette of node types. This use case uses four of them. Open the palette any time with the Add nodes button on the canvas.

NodeRole in this Flow
TriggerStarts the run on a monthly schedule. Cron 0 6 1 * * = 06:00 on the 1st of each month.
HTTP RequestCalls each security tool's API with a stored credential. Used seven times: five collectors + Teams + email.
AgentA self-contained security-analyst agent that correlates all five feeds and produces prioritized findings.
ReportSynthesizes the agent output into a single readable deliverable, stored on the run.

Why HTTP Request for every tool? There are no dedicated Qualys, Defender, Sentinel, ServiceNow or Teams nodes. Every external integration is the generic HTTP Request node pointed at that tool's REST API, authenticated with a credential you store once. This keeps the Flow explicit about exactly which endpoint it hits and what it sends - and lets you add any tool with an API, not just a fixed catalog.

Build it step by step

  1. 1Create the Flow & set the schedule. From the Flows tab, click New Flow, name it Monthly security review report, and open the Trigger node. Choose Schedule and enter 0 6 1 * * so it runs at 06:00 on the 1st of every month.
  2. 2Add the five data collectors. Drop five HTTP Request nodes and connect each to the trigger so they run in parallel. Point each at its tool's API - Qualys (vulnerabilities), Microsoft Defender (endpoint alerts), Sentinel (SIEM alerts), ServiceNow (incidents), Jira (security tickets) - using a stored credential per tool.
  3. 3Add the security-analyst agent. Add an Agent node - Security analyst synthesis - and connect all five collectors into it. Give it an instruction to correlate the feeds, deduplicate, score by severity/exploitability, and emit a prioritized actionables list.
  4. 4Assemble the report. Add a Report node - Monthly review report - downstream of the agent. It captures the synthesized deliverable and files it on the run for audit.
  5. 5Deliver to Teams & email. Add two more HTTP Request nodes off the report - Post to Teams (a Teams incoming webhook) and Email report (an email-send endpoint) - so the report lands in your channel and inboxes.
  6. 6Save & commit. Click Save / Commit. The graph is validated on save - invalid node shapes are rejected - so a green save means the Flow is runnable.

Collecting the data

Because all five collectors are wired to the same trigger, they execute in parallel - the run is as fast as your slowest API, not the sum of all five. Each returns its slice of the security picture:

  • Qualys - open vulnerabilities and their severity / CVSS scores across scanned assets.
  • Microsoft Defender - endpoint detections and device-level alerts.
  • Microsoft Sentinel - SIEM incidents and correlated analytics-rule alerts.
  • ServiceNow - logged security incidents and their state / assignment.
  • Jira - a fifth collector pulls open security tickets, so the synthesis sees both what's detected and what's already being worked.

Synthesis & prioritized actionables

The Security analyst synthesis agent is the intelligence of the Flow. It receives all five feeds as input, then correlates them - matching a Qualys CVE to a Sentinel alert to an open ServiceNow incident - deduplicates overlapping signals, and ranks everything by severity and exploitability. Its output is a prioritized actionables list, not a raw dump: what to fix first, why, and which existing ticket or incident it maps to.

That output flows into the Monthly review report node, which files the full deliverable on the run so every month's report is retained and auditable.

Delivering to Teams & email

The report node fans out to two HTTP Request delivery nodes. Post to Teams sends the summary to a Microsoft Teams incoming webhook; Email report posts to an email-send endpoint for your distribution list.

Good to know. The built-in Microsoft 365 connector is read-only (it can search mail/Teams, not send). Outbound delivery therefore goes through the HTTP Request node to a Teams incoming webhook or an email-send endpoint, using a credential you store once in settings. Flows also raise an in-app run complete / run failed notification on every run regardless.

Run & monitor

Once saved and enabled, the Flow appears in the Flows list with its schedule, next-run time, and success rate.

The Flows list showing Monthly security review report at the top: 10 steps, Idle, schedule 0 6 1 * *, next run in 16d, 2m 8s duration, 6 runs 100% success.
The Flows list. Our Flow shows 10 steps, its 0 6 1 * * monthly schedule with the next run in 16 days, a 2m 8s average duration, and a 6 runs · 100% success history.

Open the Runs tab and expand a run for a live, step-by-step trace with per-node status, duration and cost - so you can watch all five collectors finish, then the synthesis, report and delivery.

Run trace, upper steps: 10 steps, total cost $0.12; 1st of month trigger succeeded; Qualys vulnerabilities HTTP request succeeded in 8s.
Run trace (top). The run header shows 10 steps and total cost. The trigger and the Qualys collector have succeeded, each with its duration.
Run trace, lower steps: Security analyst synthesis running; Monthly review report, Post to Teams, and Email report queued behind it.
Run trace (bottom). With the collectors done, Security analyst synthesis is running and the report + Teams/email delivery steps are queued behind it.

Notes & limits

  • Node types are fixed. You compose from the palette (Trigger, Crew, Agent, Swarm, Decision, Loop, Human, Report, Set Variable, Echo, HTTP Request, GitHub). There's no bespoke Qualys / Defender / Sentinel / ServiceNow / Teams node - every integration is an HTTP Request node as shown here.
  • Parallel by design. Wiring all five collectors to the trigger runs them concurrently; the agent waits for all five before synthesizing.
  • Credentials for each tool and the Teams/email webhooks are stored once in settings and referenced by the HTTP Request nodes - never inlined into the Flow definition.
  • Requires a Build seat. Flows is a build-surface feature and is gated accordingly.