Overview
Tines exists to empower people to automate work without needing coding knowledge. With our completely private and secure AI model built into Tines, it is easier than ever to build, run, and monitor your most important workflows.
This guide will cover the AI Agent action, an evolution of our original AI action type, that allows user to build and deploy workflows that can autonomously think and perform tasks on behalf of the user. It supports two modes of operation: task and chat, enabling both behind-the-scenes automation and interactive user experiences
In this training, you will build out an agentic malware detection use case that will handle different alerts. You will learn how to:
Set up credentials
Set up prompts and system instructions
Configure an AI agent in task mode to handle alert enrichment
Use templates to enrich threats from SentinelOne and VirusTotal
Create custom tools for email notifications
Manage Tines Cases through templates
Configure an AI agent in chat mode for analyst communication
Use templates to disconnect agents in SentinelOne
Update Tines Cases based on analyst decisions
AI Agents in Tines
Agents can be powerful tools in automation. One thing Tines focuses on is integrating AI thoughtfully into your workflows in a way that maintains security, adheres to privacy concerns, and reduces muckwork. You determine where and how the agents interact with your data and workflows.
Just like our templates feature, you can connect the tools to your desired credentials. The agent will not attempt to access any stories, tools, or credentials outside what is specified in its configuration.
💡Note
Let the building begin
Now that we've covered the fundamentals, let's explore how AI Agent actions can autonomously handle malware detections. We'll use a dual-agent approach: a task mode agent will automatically extract, enrich, and analyze incoming alerts, while a chat mode agent will enable human analysts to review findings and approve remediation actions before execution.
❗️Important
Set up your credential
If you have already configured a bootcamp_api credential, you can skip to the next section, otherwise follow these steps to build your credential.
Callout: Tines offers several different credential types and authentication guides for many tools. Credentials are encrypted and can be used across multiple stories for secure and easy management
Create a new credential by clicking anywhere on the storyboard to bring up the story menu on the right pane. Find the “Credentials” section.
Note that your story will alert you of a missing credential. Hover over bootcamp_api and click on "Connect" that is shown to the right.
Click “+ Create credential” at the bottom of the modal that pops up, and then select “Text”.
Leave the name as bootcamp_api and for the value, type “secret_api_key”.
Scroll down in the credential builder and find "URLs and Domains" under the "Additional Configurations". Type in toolkit.tines.com.
Click "Save".
ℹ️Info
Looking at the data
There should be one action in your story labeled "Get New Threats from SentinelOne". Click on the action and then click "Run" in the action toolbar. There will be a new event generated. Click on the event indicator on the action or hit "Events" in the action toolbar.
In the events viewer, note that there is a lot of data in a JSON structure within this alert. The AI Agent action can help parse all this data and take action.
Configuring task mode
Drag and drop an AI Agent action from the lefthand side and select "Task" for the mode and then rename it "Enrichment Agent". Task mode supports invoking a large language model either in a simple one-shot fashion (prompt → response) or as an autonomous agent that can use tools to complete tasks. When tools are attached, the model engages in a self-directed reasoning loop, invoking tools as needed until a solution is reached.
The first step is adding the "System instructions" , which are the guidelines, rules, and constraints the AI model should follow to give the agent a more defined role. Copy the text in the note within the story and paste it into the "System Instructions" input on the right.
The next step is adding the "Prompt", which is the task the action should perform during this run, including any data it should use. Copy the text in the note within the story and paste it into the "Prompt" input on the right. Like any other action in Tines, you can reference upstream data using a value pill as shown in the alert data within the prompt - get_new_threats_from_sentinelone.body.data.
💡Note
Adding tools to the action
To allow the agent to take action, tools need to be added. There are four different categories of tools. Tines provides pre-built public templates for popular products that can be used as tools. A tool can also be a Tines Story, using Send to Story, which lets the AI agent action pass data into another story as input. There are custom tools which are grouped sets of actions scoped to the individual story, keeping everything under a single change control scope. Lastly, you can also connect to remote MCP servers as tools.
💡Note
First, connect the AI Agent action to the above action action labeled "Get New Threats from SentinelOne". Next, click on the tool in the AI Agent action on the storyboard or within the panel to configure it. For the bootcamp, the templates will be under the product "Tines Bootcamp". Once selected, there are two templates that will be used for enriching the alert:
"Get File from SentinelOne"
“Get File Report in VirusTotal"
💡Note
Once added, you will notice an orange icon with a link in it. This means that they require a credential before they can be used by the AI Agent action. Click on one of the actions to add the credential.
Click on "Not connected" at the top right and select bootcamp_api. Repeat the same steps for the second template.
Each of these templates have specific inputs and descriptions to help provide context to the AI Agent action on how to leverage these tools.
Using Tines cases
In addition to enabling the AI Agent to extract info and enrich IOCs, it should also be able to create a case and add case notes for any relevant data. This will involve creating another credential, a Tines API key, in order to call the Tines cases API.
You should see two Tines cases templates off to the side:
”Create a case”
“Add a case note”
We are going to first create the credential and then drag and drop those into our AI Agent.
Looking at the right panel for the story level configuration details, under “Credentials”, click the “Connect” button next to “Tines”. This will open up a model to select a credential. You should select “New connection” and walk through the Tines connect flow.
Select the “Personal” API key type, meaning that the API key will inherit your personal user’s permissions. You should select personal for the API key, assuming your role in your tenant has permissions to create cases. See more here.
Name the credential Tines Cases API and click “Save”. Now drag each action towards the AI Agent action until you see “Add a tool” pop up and drop onto the action.
Create a custom tool
As part of the automation, once the agent completes the enrichment, it should send an email. This email will contain a summary of the enrichment actions and output as well as a link to a AI Agent action in chat mode.
Before configuring that, the Enrichment Agent needs the capability to send the email and because there is no template for this, a custom tool is needed.
Click “+Add tool” and then “Custom tool” at the bottom. This will open up a group of actions, known as a custom tool, with an Input and an Output action. On the righthand side, change the name to “Send Email”.
Note that adding as much context here will be helpful for the AI Agent action to know when and how to use this tool. Add a description: “Sends an email to the analyst with data from case”. Next, remove the single input labeled “Payload” by clicking the “-”. Add two new inputs of type “text”, one labeled “Subject” and the other labeled “Body”, for the email subject and body. Mark both as required. You can additionally add descriptions for these inputs as well.
Drag a “Send Email” action and place it in between those actions and connect it. Click on the “Send Email” action to configure the settings, leaving everything as is except for the “Subject” and “Body”. This is where the upstream data from the inputs will be referenced with input.subject and input.body using value pills. You can create a value pill by clicking the “+” button and selecting “value”.
The last step will be to configure a message to send back to the AI Agent within the “Output” action. For the value of the key “message” within the payload, delete the existing text and put “Email sent successfully”.
💡Note
Enabling chat mode
Now that the Enrichment Agent is configured to handle the initial threat analysis, it's time to set up an interactive chat interface that allows analysts to communicate with an AI agent and take further action on the alert.
Drag and drop another AI Agent action from the lefthand side, but this time select "Chat" for the mode. Rename this action "Analyst Chat Agent". Chat mode creates an interactive conversational interface similar to Tines Pages, where users can engage in back-and-forth dialogue with the agent to complete tasks.
Just like with the task mode agent, start by adding "System instructions" that define the agent's role and behavior. Copy the text from the corresponding note in the story and paste it into the "System Instructions" input.
Next, configure the "Initial message" that will greet the analyst when they open the chat interface. This message should provide context about the alert and guide the analyst on how to interact with the agent. In the "Initial message" field, add a value pill to reference the output from the Enrichment Agent: enrichment_agent.output. This ensures the analyst sees a summary of the enrichment findings when they first open the chat.
💡Note
You can also specify a timeout for the chat session if needed, which will automatically close the chat after a period of inactivity.
Add tools for the chat agent
The chat agent needs tools to perform actions based on analyst requests. Start by adding templates for SentinelOne operations.
Click "+Add tool" and select "Template". Under the product "Tines Bootcamp", add the following templates:
"Get Agent from SentinelOne"
"Disconnect Agent from Network in SentinelOne"
Connect the bootcamp_api credential to both templates by clicking on each tool and selecting "Not connected" at the top right, then choosing bootcamp_api.
These tools will allow the chat agent to retrieve information about specific endpoints and disconnect them from the network if the analyst determines the threat is malicious.
Next, add tools that allow the agent to interact with Tines Cases for documentation and tracking.
Click "+Add tool" and select "Template". Under the product "Cases", add the following templates:
"Get a case"
"Add a case note"
"Get a case note"
"Update a case"
These case actions will use the Tines Cases API credential that you created previously.
Testing the enrichment workflow
Now it's time to test the complete workflow. Navigate back to the "Get New Threats from SentinelOne" action and click "Re-emit" to send the data through the workflow again.
Click on the "Enrichment Agent" action and open the events viewer to observe what's happening. You'll notice:
Events show as "completed" vs "in progress"
The conversation unfolds similar to Workbench, with each interaction showing tokens (units of text parsed and analyzed by the LLM) and credits used for each cycle and tool use
The agent dynamically creates case notes based on its analysis and the prompts provided
Watch as the agent autonomously retrieves a file from SentinelOne, enriches it using VirusTotal, creates a case and sends an email with a summary and link to the chat.
Interacting with the chat agent
Open the email that was sent by the Enrichment Agent. Note that the email content will vary slightly each time due to the AI's natural language generation. The email is nicely formatted with a clear summary of findings as well as clickable buttons to view the case and open the agent chat.
Click on the "Agent Chat" link to open the interactive chat interface. You'll see the initial message displaying the enrichment summary from the Enrichment Agent's output.
Now you can interact with the agent as an analyst would. Try the following conversation:
Type: based on the info, this appears benign - continue with a false positive report
Watch as the agent uses its tools to update the case with appropriate notes and status.
When you're done, type: close the chat.
Navigate back to the events viewer for the Analyst Chat Agent to see the full conversation history and tool usage.
Testing with different data sources
To demonstrate the flexibility of AI agents to handle data in any format from any source, let's add another data source to the workflow.
There should already be another HTTP request labeled “Get Open Issues in Wiz”, connect this to the Enrichment Agent and click “Run”. This time, observe how the agent:
Skips the "Get File" step if the data is already present in the alert (like with Wiz data)
Knows not to query SentinelOne unnecessarily
Adapts its analysis based on the data source
💡Note
Look at the completed events and examine the raw JSON to see the full conversation flow and tool invocations.
Handling a malicious threat in chat
Open the chat interface for the malicious threat scenario.
Type: uh oh, that looks pretty bad - disconnect the agent!
Watch as the agent uses the tools to retrieve the SentinelOne agent information by ID and disconnect the agent from the network.
💡Note
When you're finished, type: end chat.
Congratulations on building your first agentic story!
Wrap up
In this training, you learned how to build an autonomous malware detection workflow using AI Agent actions in Tines. Specifically, you covered:
Credentials: Create and configure secure, reusable credentials (like
bootcamp_api) that connect to templates and toolsAI Agent modes: Set up agents in task mode (autonomous reasoning with system instructions) or chat mode (interactive conversations with analysts)
Tools: Use pre-built templates from Tines library, create custom tools for specific functionality
Context and prompts: Write clear descriptions, structure prompts with upstream data references, and document actions through case notes
The AI Agent action empowers you to build sophisticated automation that can think, reason, and act autonomously while maintaining the security and control that Tines is known for. As you continue to explore this capability, consider how you can apply these patterns to other use cases in your organization, from incident response to compliance workflows and beyond.
More resources
Discover more use cases and pre-built stories in our Library.
Come talk to us on our Community Slack by signing up here.
Check out more of our learning content in the Tines University.
Take the next step and get certified for no cost here.
Want to talk more? You can book a demo with our team on our Pricing Page.