Retrieve and respond to alerts from multiple customer EDR platforms

In this Five-minute flow, we walk through how to automatically ingest, enrich, and respond to security alerts from CrowdStrike and SentinelOne across multiple customer tenants — all from a single Tines story.

---

What you'll see:

• Set up two Tines Resources as a central config store to manage customer credentials and EDR product mappings
• Define customer profiles with unique IDs that map to the correct API credential dynamically — no hardcoding required
• Fetch alerts from CrowdStrike or SentinelOne per customer and split them so each alert is processed individually
• Normalize alert data into a consistent format regardless of which EDR platform it came from
• Create a Tines Record and automatically open a Case for each detection
• Use an AI agent to summarize the alert in plain English and write it back to the Case
• Check for external IP addresses and route them through a dedicated Send to Story for AI-powered IP analysis
• Evaluate alert severity and send a Slack notification with a one-click host containment button for high severity alerts
• Route the containment action to the correct EDR API — CrowdStrike or SentinelOne — based on the customer's product
• Log the response outcome back to the Tines Case as a comment

---

Perfect for:

• MSSPs and multi-tenant security teams: Managing separate CrowdStrike or SentinelOne tenants per customer without duplicating workflows
• SOC analysts triaging high volumes of EDR alerts: Reducing manual triage with automated normalization, enrichment, and case creation
• Security engineers building scalable response playbooks: Centralizing credential and config management so new customers can be onboarded with minimal story changes
• Teams using Tines Cases for incident tracking: Keeping the full alert-to-response audit trail in one place

---

Requirements:

• CrowdStrike — one API credential per customer tenant (OAuth2 client credentials)
• SentinelOne — one API credential per customer tenant (API token)
• Slack — OAuth credential with permission to post messages to your chosen channel
• Tines API key — used to create and update Cases and Resources via the Tines API
• Two Tines Resources must be created before running the story: customer_index (maps customer IDs to credentials) and customer_products (maps product codes to EDR platform names)
• A separate Tines story configured to accept an IP address via Send to Story for IP analysis (referenced as "STS Analyze IP Address")
• Basic familiarity with Tines Resources and how credentials are referenced in actions