Detect insider threats using Tines audit logs

Danielle Swanser

Danielle Swanser

Product Engagement Manager

Security

In this five-minute flow, we walk through how to automatically detect suspicious story deletions and insider threats using your Tines audit logs — no manual log review required.


What you'll see:

  • Schedule a recurring trigger to monitor your Tines environment continuously
  • Fetch newly created stories from the Tines API using audit log data
  • Explode and deduplicate story events to remove noise before processing
  • Check whether each story still exists — flagging any that have been deleted
  • Run two parallel checks: one for soft deletions, one for hard deletions across all stories
  • Pull a full user activity report from the audit logs for each flagged user
  • Summarize that activity using an LLM to surface anything unusual
  • Automatically create a Case for each detected threat so your team can investigate

Perfect for:

  • SOC teams: Monitoring for insider threats or account compromise without manually reviewing audit logs
  • Security engineers: Building automated detection pipelines entirely within Tines, using native audit data
  • IT and platform teams: Keeping track of who is deleting or modifying stories in a shared Tines environment

Requirements:

  • Tines account with access to audit logs
  • Tines API credential (for querying audit log endpoints)
  • A connected AI provider (for the LLM Summarize User Activity action)
  • Tines Cases enabled on your tenant
  • Basic familiarity with Tines HTTP Request and Event Transformation actions

Get the featured workflow

Import this workflow to your tenant, from where you can adapt it to meet your unique needs.

View workflow
🚨🔎🫆🫆Detect insider threats using Tines audit logs

Receive Five-minute flows
directly in your inbox

Built by you,
powered by Tines

Already have an account? Log in.