Run by teams on workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community.
The latest standouts are workflows that handle malware alerts on Cloud Strike, Oomnitza, Github, and Pagerduty. The workflow developed by Lucas Cantor, creator of Fin.ai, makes it easier to determine the severity of security alerts and seamlessly escalate according to device owner responses. “This is a great way to reduce noise and add context to security issues added to the endpoint,” explains Lucas.
In this guide, we share an overview of the workflow, as well as step-by-step instructions for getting it up and running.
Problem – Lack of integration between security tools
For security teams, it can take a lot of time to respond to malware threats, analyze severity, and identify device owners so that they can be resolved.
From a workflow perspective, teams often have to:
Enrich alerts with additional metadata documents that respond manually to CrowdStrike events and alert call teams to Slack Notify via PagerDuty
Passing this process manually causes delays and increases the likelihood of human error.
Solutions – Automatic ticket creation, device identification, threat triage
Lucas’s pre-built workflows automate the process of taking malware alerts and creating cases, and definitively notifying device owners and on-call teams. This workflow helps security teams identify more accurate threat levels faster and faster:
Discover new alerts from cloud strike Identify and notify device owners of escalating important issues
The result is a streamlined response to malware security alerts that ensure that they are dealt with quickly, regardless of severity.
Important benefits of this workflow:
Repair Time Reduction Device Owners will be notified to a clear repair and escalation path centralized management system
Workflow Overview
Tools used:
Tines – Workflow Orchestration and AI Platform (Free Community Edition Available) Cloud Striker – Threat Intelligence and EDR Platform Oomnitza – IT Asset Management Platform Github – Developer Platform PagerDuty – Incident Management Platform Slack – Team Collaboration Platform
How it works
Part 1
Get security alerts from CrowdStrike Find the device that has been triggered with an alert, search for its details, create a GitHub ticket for the alert, and raise the issue with a slack message if the device is owned by the user and is low.
Part 2
Get user interaction with Slack messages and if the owner escalates the issue, enrich GitHub issues with user response Create a poser dutch event to notify on-call analysts
Configuring Workflows – Step-by-Step Guide
1. Log in to Tyne or create a new account.
2. Go to the library’s pre-built workflow.[インポート]Select . This requires direct take on new, pre-built workflows.
3. Set your credentials
Five credentials must be added to the Tines tenant.
Cloud StrikeOomnitza Github Pagerduty Slack
Please note that you can also use similar services to those listed above. Adjust the workflow.
From the Credentials page, select your new credentials and scroll to the relevant credentials to complete the required fields. Follow CrowdStrike, Oomnitza, Github, Pagerduty, and Slack Credential Guides.
4. Configure the action.
Set the environment variables. This includes slack it channel Alerting webhook (`slack_channel_webhook_urls_prod`) Cloud striker/github severity priority mapping (`crowdstrike_to_github_priority_map`) Crowdstrike to configure Crowdstrike and when I detected a Slack buttbot, I got a webhook when I did a New Crowdstrike detection.
5. Test your workflow.
6. Publish and operate
Once tested, publish your workflow.
If you want to test this workflow, you can sign up for a free Tines account.
Source link
