Tines summer release 2019

Last updated on

Written by Eoin Hinchy

On today’s blog, we’re delighted to announce details of the latest and greatest Tines features launched in the Tines Summer 2019 Release. The Tines Summer Release is jam-packed with new features including:

  • Action Templates & Private Templates

  • Improved Searching

  • Time-based Deduplication

  • Emit and Tag Duplicate Events

  • Emit and Tag Non-Matching Trigger Events

  • Asynchronous Event Loading

Existing Cloud tenants always stay on the latest release so Tines Cloud customers do not need to take any action. Tines On-Premise and Kubernetes customers can log in to the Tines customer portal and download the release and installation instructions now.

Action Templates

You asked, we answered! The most exciting figure of the Tines Summer Release 2019 is Action Templates. Tines now has automation templates for nearly 1,000 security actions commonly performed by security teams for the most popular security products.

Sample templates include:

  • Create A New Issue in Jira

  • Isolate a Host in Carbon Black

  • Search for Hash in VirusTotal

  • Disable a User Account in Microsoft Graph

  • Retrieve Email Headers in Outlook

  • Upload an Attachment to Box

  • Search for Details within Tickets in Service Now

  • Create a New Alert in The Hive

  • Upload Samples to the Hybrid Analysis Sandbox

  • Scan a DynamoDB Table

  • Retrieve Analysis Results from App.Any.Run

It’s important to note that Tines integrates automatically with any tool in your stack with any API, regardless of the templates that exist. Templates help jump-start automation Stories but are just that: a springboard on which you can begin automating all your manual workflows!

To view all available templates now, simply create a new Action within Tines. You will be presented with a list of hundreds of automatically generated templates that can be filtered by vendor, Action type, and privacy level. You can also search on the right-hand side for specific terms like “Carbon Black” or “MD5”.

Users can still build Actions from scratch using the “Start with a Blank Action” tab.

Got a suggestion for Action templates that we’re missing? Email hello@tines.io and we’ll add them in right away!

Private Templates

In addition to the thousand public templates that are now available, Tines has also enabled “Private Templates”. If you have a private API that you use internally, or if you have custom fields and configurations for your own tools (like Jira, Splunk, AWS, etc.) you can create your own Private Action Templates within Tines. These templates are viewable to everyone within your company and can be shared among all your Tines production and test tenants.

Creating Private Templates

To create a Private Template, find an Action that you have saved, and in the Action Menu click “Create Template”. (Note, only Tines admins are able to create Private Templates).

Fill in the appropriate details in the “Create a New Action Template” page.

Your template will then be visible in the “Manage Templates” page in the Admin Tab in your Tines tenant.

‍In addition, you will be able to choose this template from within the “Create New Action” templates page.

You can also view all your Private Action Templates using the Visibility: “Private” filter on the left-hand side of the Action Template search page.

Retry on Status Failure in HTTP Request Actions

When trying to automate manual processes using Tines, custom scripts, or any automation platform, customers often run into a stumbling block: when an action fails or is interrupted (e.g. when sites are down, or when the receiving server detects an error or is rate limited the script) the entire automation flow fails. Common causes of this are rate limits on the server or a simple network blip. When an error occurs in automation Stories or in scripts it can be tough to detect, and in some cases, the entire automation flow fails.

To tackle this problem in Tines you can now add an optional flag to every HTTP Request action called “fail_on_status”. With this flag enabled, if Tines receives a non-2xx HTTP response code when an action runs it will re-run the action 40 times with an exponential back-off over a 30 day period until it receives a 2xx HTTP response code. Now when Jira is down, or when VirusTotal returns a 429 rate limit response code, Tines will auto-rerun the action with the same incoming event. Your Tines automation story will then continue as soon as the service is back up. A sample configuration is below:

{
"url": "https://urlscan.io/api/v1/scan/",
"content_type": "json",
"method": "post",
"payload": 
    {
    "url": "https://tines.io/",
    "public": "on",
    },
"headers":
    {
    "API-Key":"{% credential urlscan_io %}"
    },
"fail_on_status": "1",
"expected_update_period_in_days": "1
}

Improved Search

We’re delighted to announce that the Summer Release includes a much-improved search interface within Tines. The search bar in the top right-hand corner will now search and return results for Stories, Actions, and Credentials. It performs a full-text search within Action configurations too, so you can find all Actions which reference a particular hostname or use a particular command. Try it out now in your own tenant!

Time-Based Deduplication

One of the most frequent causes of fatigue in information security teams is alert overload. That’s why in Tines we have a “deduplication” mode within Event Transformation Actions – to suppress noisy alerts and prevent analysts from having to repeat the same work over and over again.

In Tines, we recognize that you often need to suppress events for a set period rather than just ignoring all duplicate events. If an alert fires, you may want to suppress that same alert for another 24 hours, or simply not see it for another 100 events, or ever again. As a result, we have enhanced our deduplication mode in the Event Transformation Action – you can now deduplicate based on Time Period or based as well as based on a look back through previous emitted events.

  • A time-based deduplication analyzes each event that is received for uniqueness, and subsequent matching events will not be emitted until this time period has elapsed. A sample time-based deduplication is below.

{
   "mode": "deduplicate",
   "period": "86400",
   "path": "{{.id}}"
 }
  • A lookback deduplication will examine the previous X events for uniqueness, regardless of when the events happened. It takes a parameter “lookback” which will be the number of events to store which Tines checks against for uniqueness.

{
  "mode": "deduplicate",
  "lookback": "100",
  "path": "{{.person.name}}"
}

Emit Duplicate and Emit on No Match

Emit Duplicates in Event Transformation Actions

A complementary feature launched along with Time Based Deduplication is an emit_duplicate flag for deduplication events and an emit_no_match for Trigger events.

When the emit_duplicate flag is set to “true”, in deduplication mode, duplicate events are emitted by the Event Transformation Action. Duplicate events return the value “unique_event”:”false” in the emitted event, non-duplicate events will return the value “true”. Using this flag, users can create more complex Stories, e.g. adding details of duplicate events to existing tickets, creating lower priority duplicate alerts, or taking a lower-risk action based on the fact it is a duplicate event.

Emit on No Match in Trigger Actions

Similar to the “Emit Duplicate” flag, the emit_no_match flag is also available within trigger Actions. Events that do not match the trigger Action’s rules can now be emitted but will have the field “rule_matched” value set to ‘false’. Events that match the rule will have the “rule_matched” value set to ‘true’. This new feature allows users to build and maintain a set of Trigger rules within one Action.

A sample configuration for a trigger Action with emit_no_match set to true is below.

{
  "rules": [
    {
      "type": "regex",
      "path": "{{.individual_url}}",
      "value": "tines.io"
    }
  ]
  "emit_no_match": "true"
}

Asynchronous Event Loading

The last major feature of the Summer Release is an under-the-hood user experience improvement. When using Tines to automate AWS workflows; collect logs; analyze malware; and other common use-cases, some events in Tines can become extremely large. Previewing these Events within Tines is now much faster thanks to our new Asynchronous Event Loading feature. Tines will now only show the event data that the user wants to see. Expanding the JSON in the View Events page will then dynamically pull back the relevant data from the Tines database. Asynchronous Event Loading allows users to quickly preview the relevant section of the event, without waiting for the entire event to be downloaded. Each event should now take just fractions of a second to load making for a more seamless user experience.

That’s all for this year’s Summer Release. To get on the beta to test new features as they are being developed, simply talk to your Tines account manager.

*Please note we recently updated our terminology. Our "agents" are now known as "Actions," but some visuals might not reflect this.*

No-code
automation
for
security teams

Get started