Overview
Tines exists to empower people to automate work with no coding knowledge required. The goal of this bootcamp is to introduce new users to some of the core concepts of Tines by creating a simple alert ingest story. By the end, you should be comfortable enough to build your own story from scratch and have an understanding of how you can save time by automating your manual workflows. The end result will be a story that will simulate getting alerts from a SIEM to analyze, enrich, and then create tickets with the formatted data.
In this training, you will:
Get a list of new alerts
Configure event transform actions to:
Deduplicate events
Format data with formulas
Explode an array of alerts
Build an HTML template with the results
Enrich the IP addresses
Use AI to summarize the alert
Send an email or create a Jira ticket based on severity
The Tines touch on AI
We love AI at Tines. Large Language Models are among the biggest innovations in the past several decades. We know AI will enable our customers to reach new heights in their building, and enable more builders than ever before. However, we also know that any AI features must be private and secure to meet the high standards that our customers have learned to expect from us.
Therefore, AI in Tines runs entirely within our infrastructure, scoped only to your individual tenant. Data never touches the Internet, is never logged, and is never used for training. Our customers get all of the power of top tier LLMs, without any exposure of their critical data. You can read more at Tines Explained.
💡Note
Set up your credential
Before we can call out to any tools to get data, we need to first create a credential to authenticate the requests. Create a new credential by clicking anywhere on the storyboard to bring up the story menu on the right panel. Find the “Credentials” section and click the “+” button to add a new credential.
💡Note
Note that all HTTP request actions will use this credential for ease of use as all of the data in the bootcamp is simulated and not calling out to any real tools.
Click the “Text” type credential. The name will be bootcamp_api and the value will be “secret_api_key”.
Scroll down in the credential builder and find "Domains" under the "Additional Configurations". and type in ”toolkit.tines.com”.
Click “Save”.
💡Note
Get new alerts
To kickoff the story, we will call out to a SIEM to gather new alerts. Go to the template library on the left and click on the search bar. Search for “Tines Bootcamp.” Click and drag the Tines Bootcamp template onto the storyboard.
On the right, you will see all of the possible actions under “Tines Bootcamp” as the tool name. Select "Get New Alerts”.
Templates are preconfigured HTTP request actions. While the action is selected, the right panel is now the action menu, which contains the action configuration, status, and logs.
💡Note
Run the action by clicking the “Run” button in the menu beneath the action.
Inspect the resulting event by clicking on “Events” in the menu beneath the action. Expand the data by clicking {...} to open each object.
Close the event panel for now by clicking the "X" in the top right of the panel.
Fun with formulas
Formulas is Tines’s constantly growing built in language. It is a spreadsheet style format with dozens of functions that you can use to manipulate data in Tines. When building a function, there is an inline helper that shows the documentation for the function you are using.
You can browse all of the current functions, with live example actions in our documentation at https://www.tines.com/docs/formulas/functions.
Copy the following code and paste it on to your storyboard beneath the “Get New Alerts” action. Connect the actions together by dragging the arrow from “Get New Alerts” into the top of “Formulas Examples” to get a look at a few of our top used functions.
{"standardLibVersion":"83","actionRuntimeVersion":"35","agents":[{"disabled":false,"name":"Formulas Examples","description":null,"options":"{\"mode\":\"message_only\",\"loop\":false,\"payload\":{\"size_of_array\":\"=SIZE(get_new_alerts.body.alerts)\",\"map_ip\":\"=MAP(get_new_alerts.body.alerts, \\\"ip_address\\\")\",\"where\":\"=WHERE(get_new_alerts.body.alerts, \\\"severity\\\", \\\"high\\\")\",\"piped_statement\":\"=MAP(get_new_alerts.body.alerts, \\\"severity\\\") |> INCLUDES(%,\\\"low\\\")\",\"nested_statement\":\"=INCLUDES(MAP(get_new_alerts.body.alerts, \\\"severity\\\"), \\\"low\\\")\"}}","position":{"x":2535,"y":15},"type":"eventTransformation","timeSavedUnit":"minutes","timeSavedValue":0,"monitorAllEvents":false,"monitorFailures":false,"monitorNoEventsEmitted":null,"caseConfiguration":{"subStatus":null,"tags":[]},"recordType":null,"recordWriters":[],"form":null,"createdFromTemplateGuid":null,"createdFromTemplateVersion":null,"templateTags":[],"originStoryIdentifier":"cloud:3afcecf8d447a6289bdd4804286c9c86:b7a3a2dcf112236438e3c92eb6fed553"}],"links":[],"diagramNotes":[]}For each example, click into the value pill on the right side to view the function and the helper text. You can also see a preview of the result in the bottom right of the pill builder.
💡Note
Below are brief descriptions of each of the functions shown here.
SIZE - Returns the number of letters in a string, or items in an array.
MAP - Creates an array by extracting the values of a chosen property from an array of objects.
WHERE - Selects all the elements in an array where the key has the given value.
Advanced building with formulas
Depending on the complexity of the data you are working with, you may need to use multiple functions. There are a few native features that make this easy.
Piped format - You can pass the output of one function to the input of another by using the operator |> between your functions and using % to reference the output of the function to the left of the operator.
Nested format - You can nest functions to use the output of a function as the input to another function, as shown in the nested_statement example.
Advanced Mode - If you are comfortable building and would like more of a code editor experience, you can click on the slider in the top right of the pill builder to enter “Advanced mode”. This also allows you to highlight specific functions to see the output in steps, as shown in the following gif:
To return to the normal builder mode, simply click the slider again.
Clean up
Delete the “Formulas Examples” action. Now that you are an expert in formulas, you can get back to building the story.
You can either highlight the action and press “Delete” or “Backspace” on your keyboard or you can click the trash icon on the context menu below the action.
Exploding an array
There are several alerts in your list, and each one needs to follow their own branch in the story. To do this you will use an event transform action in “Explode” mode. This mode will take an array and emit an event for each element in the array, allowing the events to be processed individually in the story.
Drag an event transform action onto the storyboard below the “Get New Alerts” action and connect the actions together.
Name the new event transform action “Explode Alerts�”.
Click the drop down menu under “Mode” on the right pane and select “Explode”.
Set the “path” for your explode action to get_new_alerts.body.alerts by clicking on the pill titled your_path in the right pane and selecting get_new_alerts.body.alerts from the list in the pill builder.
Note the “To” field is automatically set to individual_item. This will be the name of the object in the event that gets emitted from the action.
Click “Run” underneath the action on the toolbar and then select the previous upstream event. This allows for the upstream event to be re-emitted to be processed by downstream actions.
💡Note
Investigate the output of the “Explode Alerts” action by clicking on “events”. You can check each event by clicking on them on the left side of the events pane.
The alert generated by Thomas Kinsella is listed twice! Incoming data is never perfect, so you will need to work around duplicates in the story.
You could use a UNIQ() function in the path field to only explode unique elements from the array. However, that would only catch duplicates in the array each time the story runs. Luckily, there is another feature for that.
Deduplicating events
To deduplicate events across multiple story runs, you will use an event transform action in deduplicate mode. This will prevent the processing of the same alert twice.
Drag on another event transform action beneath the “Explode Alerts” action, set the “Mode” to “Deduplicate” and then connect it to the “Explode Alerts” action.
Name the new action “Deduplicate” and set the “path” to the output of your explode array action, in this case: explode_alerts.individual_item.
Your deduplicate action should look as follows:
The “Lookback” period in the deduplicate action defines how many past events to inspect for uniqueness. If the incoming event is not unique, it will not be emitted.
You could also set a time period on your deduplicate by clicking the + Option button at the bottom of the configuration pane and selecting “Period”. This means the action will not emit duplicate events within the configured window of time.
💡Note
Enriching the IP address
Each alert has an IP address that needs to be enriched to add further context to a ticket.
This time, to create the action, you will use another built-in Tines function called ”Curl2Tines”. If you have a working cURL command, copy and paste it directly onto your storyboard, and an HTTP request action will automatically be generated. This is extremely helpful when working with tools that have cURL examples in their API documentation!
Try it with this command here:
curl -X GET 'https://toolkit.tines.com/api/public/searchforIPinAbuseIPDB' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <<CREDENTIAL.bootcamp_api>>' \
-G \
--data-urlencode 'ipAddress=<<explode_alerts.individual_item.ip_address>>'Copy the code here and paste it onto your storyboard.
You should now have an action called "Request to toolkit.tines.com".
Connect to the story by hovering your mouse over “Deduplicate” and dragging the arrow down onto the new action.
Click on your new action and change the name to “Search for IP Address in Abuse IPDB.”
Setting up the AI action
Tap directly into the power of LLMs as an action in your story. Here, you can use AI to summarize bulky alerts, enrich incoming information, make logical decisions based on your instructions, and much more.
Select an AI action from the left and put it under the “Search for IP Address in Abuse IPDB” action and connect the two actions. Rename the action, “Analyze Alert”.
The next step is to provide a prompt with the input data configured. The goal is to use AI to summarize the incoming alert and IP data for a ticket, including a risk score and remediation steps. Copy and paste the below code into the “Prompt” input.
Alert data:
<<explode_alerts.individual_item>>
IP enrichment data:
<<search_for_ip_address_in_abuse_ipdb.body.data>>
Act as an expert cybersecurity engineer analyzing the following alert and the IP enrichment data. Create a title and a summary of the alert details for a ticket. The title should include the user email. The summary should be 2-3 sentences and include recommended actions and a risk rating from 0-10.
The output should include alert_data, ip_data, alert_title, and alert_summary.💡Note
Lastly, make sure that “JSON mode” is on by clicking the slider. This ensures that the AI action will provide the output in JSON instead of just plain text.
💡Note
Configuring a trigger
Depending on the severity of the alert, the downstream action will either be to email a user or to create a Jira ticket. Select a “Trigger” action from the left onto the storyboard and connect it to the “Analyze Alert” action. Rename the action “Alert Severity is High”.
Next, click on the somekey.subkey.subkey.goal pill to edit it. Set this path to explode_alerts.individual_item.severity .
Click on the field currently set to foo and change this value to high.
Your rule should look as follows:
If the rule matches, the alert severity is high and a user should be emailed. If the rule does not match, meaning the severity is medium or low, a Jira ticket is created instead.
See the results
Let's take a look at our work so far. Re-emit the last event from the "Get New Alerts" action. We will see the series of actions deduplicate the duplicate alert, enrich the IP addresses for each alert, provide an AI summary and then filter alerts by severity.
Creating a ticket
This next action will be another template from the template library on the left. Search for “Tines Bootcamp.” Click and drag the Tines Bootcamp template onto the storyboard. In the configuration pane on the right side, select "Create a Ticket in Jira".
This action will run when the alert severity is not “high”, meaning either “low” or “medium”. Because of how we configured our trigger above, we want this action to follow down the “no match” path. To do this, hover over the bottom of the trigger action until you see “no match” with a dotted line. Connect the dotted line to the top right of the “Create a Ticket in Jira” action.
💡Note
Automatic formatting
One key AI feature in Tines is automatic mode in the "Event Transform" action. This was created to make it easier for anyone to build. You can use this to manipulate data using nothing more than common language.
This mode takes a prompt describing the action that you want to take and leveraging LLMs, translates that prompt into Python. Once you are happy with the Python, you can save the code and then when the story runs, the code gets executed.
For this story, we will be formatting the HTML data for an email. Drag and drop another event transform action onto the storyboard and name it “Build HTML”. Connect it to the above trigger action, making sure to connect with the solid line “match” path (instead of the dotted line “no match” path).
Click on the action and choose “automatic” mode. We will first configure the input data by clicking on “input”, which will then pop out the modal for automatic mode. Specify the data path analyze_alert.output for the input. The “Analyze Alert” action condenses all the important info in one action to feed into this action.
Next, below the input, enter this for the prompt:
Generate nicely formatted HTML for an email for the alert and include tables for the data.
Make sure to click generate to see the code generated and then save.
Send the email
Now that you have the results, you need to send them somewhere. Drag a “Send Email” from the left onto the storyboard. Tines email actions allow you to write a body in HTML while still being able to create pills for dynamic values. We saved some time because we already generated the HTML in the previous action.
In the “Subject” section, add a value pill with analyze_alert.output.alert_title and in the “Body” section, add a value pill with build_html.output.
💡Note
Run from the top!
Let’s run from the top and take a look at the data, but first making sure to clear the memory of the “Deduplicate” action under the “Status” tab to allow for the same alert data to be processed. Click “Get New Alerts” and run.
Set a schedule
Every action in Tines can be set to run on a schedule. For this story, you can configure the top action, “Get New Alerts”, to run every Monday morning at a specific time.
Click the “Get New Alerts” and go to the “Status” tab in the right pane.
Click on the plus sign + next to “Scheduling” to add a scheduled run. Note that by default the schedule is set to run at 09:00 AM in the tenant’s default time zone.
Click on the schedule to edit the timing. You can change the timezone, set a specific repeating schedule, or using a cron expression if that is more comfortable for you.
Wrap up
Congratulations, and thank you for sticking with us to the end! In this session, we reviewed:
Setting up credentials
Configuring event transform actions for deduplication, formatting data, exploding events, and automatic python generation
Using HTTP requests for multiple API calls
Creating rules for a trigger action to control the flow of events
Consolidating and sending data via email or creating a ticket
More importantly, you have seen how easy it can be to automate your most common workflows. We’ve only just scratched the surface of Tines today, as there is so much more that can be done.
More resources
Discover more use cases and prebuilt stories in our Library..
Collaborate with us and other users on our Community Slack by signing up here.
Check out more of our learning content in the Tines University.
Take the next step and get certified for no cost here.
Want to talk more? You can book a demo with our team on our Pricing Page.