Run by teams on workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community.
Our emphasis on workflows streamline security alert processing by automatically identifying and executing the appropriate standard operating procedures (SOPs) from Confluence. When an alert is triggered, the AI agent analyzes it, finds the relevant SOPS, and performs the necessary repair steps.
It was created by Michael Tolan, L2 security researcher at Tines, and Peter Wrenn, senior solutions engineer at Tines.
In this guide, we share an overview of the workflow, as well as step-by-step instructions for getting it up and running.
Problem – Manual Alert Triage and SOP Running
For security teams, to respond efficiently to alerts, they need to quickly identify threat types, find the right SOP, and perform the necessary repair steps.
From a workflow perspective, teams often have to:
Manually analyze searches for incoming security alerts via confluence of findings and actions in related SOPS documents.
This manual process is time-consuming, prone to human error, and can lead to inconsistent processing of similar alerts.
Solution – AI-driven alert triage with automatic SOP execution
This pre-built workflow automates the entire alert triage process by leveraging AI agents and confluence SOPs. This workflow helps your security team respond faster and more consistently.
Use AI to categorize it using AI to automatically search for related SOPSs in confluence. Create a structured case record to track the deployment of a second AI agent (Subagent), perform a repair step that documents all actions and notify the on-call team via Slack
The result is a streamlined response to security alerts that ensure consistent processing according to established procedures.
Important benefits of this workflow
Reduce average time for corrective time (MTTR) security steps for consistent application Reduce analyst fatigue from comprehensive document repetitive tasks and improve visibility through automatic notifications
Workflow Overview
Tools used:
Tines – Workflow Orchestration and AI Platform (Free Community Edition Available) Confluence – SOPS Knowledge Management Platform
This particular workflow also uses the following software: However, together with Tines and Confluence, you can use the enrichment/repair tools that currently exist within the technology stack.
CrowdStrike – Threat Intelligence and EDR Platform AbasedIPDB – IP Reputation Database Mail Rep – Email Reputation Service OKTA – Identity and Access Management Slack – Team Collaboration Platform Tavily – AI Research Tool urlscan.io – URL Analysis Service
How it works
Part 1: Warning for Intake and Analysis
AI agents receiving security alerts from integrated security tools analyze alerts and search for confluences of related SOPs based on alert classification and create case records with alert details and identified SOPs
Part 2: Repairs and Documents
A second AI agent reviews the case, and the SOP instruction AI agent adjusts the repair actions via the appropriate security tools All actions are documented in the history history.
Configuring Workflows – Step-by-Step Guide
1. Log in to Tyne or create a new account.
2. Go to the library’s pre-built workflow.[インポート]Select .
3. Set your credentials
You must have credentials for all tools used in this workflow. You can add or remove the desired tools according to your environment.
Confluence CrowdStrike AubsipDB emailrep okta slack tavily urlscan.io virustotal
From the Credentials page, select your new credentials and scroll to the relevant credentials to complete the required fields. Follow the eligibility guide at explained.tines.com.
4. Configure the action.
Set the environment variables. This particular workflow requires you to set up a Slack channel specifically for notifications (by default it is hardcoded in #Alerts, but can be adjusted with Slack actions).
5. Customize the AI prompt
The workflow includes two important AI agents:
Alert Analysis Agent: Helps you customize prompts to identify alert type remediation agents: Customize prompts to guide repair actions
6. Test your workflow.
Create and review the test alert.
The correct SOP with the alerts properly categorized is taken from a Confluence case created with the appropriate details.
7. Publish and operate
Once tested, publish your workflow and integrate it with security tools to begin receiving live alerts.
If you want to test this workflow, you can sign up for a free Tines account.
Source link
