Run by teams on workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community.
The latest standouts are workflows that handle malware alerts on Cloud Strike, Oomnitza, Github, and Pagerduty. The workflow developed by Lucas Cantor, creator of Fin.ai, makes it easier to determine the severity of security alerts and seamlessly escalate according to device owner responses. “This is a great way to reduce noise and add context to security issues added to the endpoint,” explains Lucas.
In this guide, we share an overview of the workflow, as well as step-by-step instructions for getting it up and running.
Problem – Lack of integration between security tools
For security teams, it can take a lot of time to respond to malware threats, analyze severity, and identify device owners so that they can be resolved.
From a workflow perspective, teams often have to:
- Manually respond to cloud strike events
- Enrich your alerts with additional metadata
- Document and alert device owners with slack
- Notify the call team via PagerDuty
Passing this process manually causes delays and increases the likelihood of human error.
Solutions – Automatic ticket creation, device identification, threat triage
Lucas’s pre-built workflows automate the process of taking malware alerts and creating cases, and definitively notifying device owners and on-call teams. This workflow helps security teams identify more accurate threat levels faster and faster:
- Detect new alerts from cloud strikes
- Identify and notify the device owner
- Escalation of serious problems
The result is a streamlined response to malware security alerts that ensure that they are dealt with quickly, regardless of severity.
Important benefits of this workflow:
- Reduced repair time
- Keep notified to device owners
- Clear repairs and escalation pathways
- Centralized management system
Workflow Overview
Tools used:
- Tines – Workflow Orchestration and AI Platform (Free Community Edition available)
- CrowdStrike – Threat Intelligence and EDR Platform
- Oomnitza- IT Asset Management Platform
- Github – Developer Platform
- PagerDuty – Incident Management Platform
- Slack – Team Collaboration Platform
How it works
Part 1
- Get security alerts from CrowdStrike
- Find the device that triggered the alert and explore its details
- Create a ticket on GitHub for alerts and raise the issue in a Slack message
- If the device is owned by the user and is of low priority,
- Send a message to the owner requesting escalation
- If the device is owned by the user and has a high priority,
- Create Page-grown events and notify on-call analysts
- Notify owners of ongoing issues
Part 2
- Get user interaction with Slack messages
- Enrich Github issues with user response
- If the owner escalates the problem
- Create Page-grown events and notify on-call analysts
Configuring Workflows – Step-by-Step Guide
1. Log in to Tyne or create a new account.
2. Go to the library’s pre-built workflow. Select (Import). This requires direct take on new, pre-built workflows.
3. Set your credentials
Five credentials must be added to the Tines tenant.
- Cloud Strike
- oomnitza
- Gilb
- Pagerduty
- slack
Please note that you can also use similar services to those listed above. Adjust the workflow.
From the Credentials page, select your new credentials and scroll to the relevant credentials to complete the required fields. Follow CrowdStrike, Oomnitza, Github, Pagerduty, and Slack Credential Guides.
4. Configure the action.
- Set the environment variables. This includes:
- slack it channel alert webhook (`slack_channel_webhook_urls_prod`)
- CrowdStrike/Github Siverity Priority Mapping (`Crowdstrike_to_github_priority_map`)
- Configure CrowdStrike to alert new CrowdStrike detection webhooks when detection is created
- Set the slackbot interactive behavior URL to the receive button Press webhook
5. Test your workflow.
6. Publish and operate
Once tested, publish your workflow.
If you want to test this workflow, you can sign up for a free Tines account.
