Analyze SMS phishing with the AI action

Employees report suspicious text messages via a Tines Page, and the AI action analyzes the screenshot to extract indicators and deliver a verdict — while automatically creating a case, enriching IOCs, and escalating if multiple employees report the same threat.

---

What you'll see:

• Employees submit a screenshot of a suspicious text message through a branded Tines Page
• An LLM action powered by Claude Sonnet analyzes the image and returns a verdict (malicious, spam, or undetermined), confidence score, extracted URLs, and sender phone number
• Condition actions validate the AI output format and data types, looping back into a corrective LLM action if the response doesn't meet expectations
• A Jira issue is created for the SOC, with the screenshot attached
• Extracted URLs are scanned in parallel using URLScan and VirusTotal via Send to Story actions
• The extracted phone number is validated, queried in C99, and added to MISP as a threat indicator
• Enrichment results are posted back as comments on the Jira issue
• Historical reports stored in a Tines Resource are checked for matching URLs or phone numbers across previous submissions
• If matches are found, a Slack alert is sent to the SOC channel and a PagerDuty incident is created
• A personalised response is built and displayed to the employee via a Thank You page

---

Perfect for:

• SOC teams: Triaging employee-reported SMS phishing at scale without manual intake or analyst involvement
• Security awareness programs: Giving employees a fast, visible feedback loop when they report suspicious messages
• Threat intelligence teams: Automatically surfacing and correlating IOCs (phone numbers, URLs) across multiple employee reports
• Incident response teams: Identifying coordinated phishing campaigns early when multiple employees receive the same malicious message

---

Requirements:

• Tines AI enabled on your tenant
• Anthropic Claude Sonnet (via Tines AI — model: (claude-3-sonnet-20240229-v1:0)
• Slack — Bot Token with chat:write scope
• PagerDuty — API key with permissions to create incidents
• Jira — API key and a service account with permission to create issues and add attachments
• C99 — API key for phone number lookup (api.c99.nl)
• MISP — API key for adding threat indicators
• Tines API key — for reading and writing to a Tines Resource used to store historical reports
• A URLScan Send to Story and a VirusTotal Send to Story configured and available in your tenant
• Company name, domain URL, and relevant keywords (e.g. company name, CEO name) added to the Build Company Details and Build Keywords actions before use