---
title: Records
url: https://www.tines.com/docs/records/
updated: 2026-04-29T17:47:28+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt)*

# Records

*[View on tines.com](https://www.tines.com/docs/records/)*

> **NOTE:** Not seeing this feature? Talk to your tenant admin or [reach out to the Tines team](https://www.tines.com/contact-support/) to learn more.

> **INFO:** Records and cases are available on version 17.20 of self-hosted Tines.

[Records](https://explained.tines.com/en/articles/7971187-introduction-to-records) are a way to introduce structured data into your team. 

[*Explore examples of records in our library*](https://www.tines.com/library/cases-records)*. *

## Capture a record

Drag a record onto the storyboard from the ‘tools’ menu. Then connect it to the upstream and/or downstream action. 

[add-record-to-storyboard](https://stream.mux.com/LKcKR8EbzjOaFR01PL5KypLk5wbZNm01X6/high.mp4)

This tells the story to capture data from the incoming action before proceeding to the subsequent action(s). Through the build pane on the right-hand side of your screen, you’ll name what you’re capturing and assign the **record type**. 

If you or a member of your team already created record types, you can choose the type from the ‘select record type’ dropdown. 

If no record types exist, you’ll need to select the option **`Create new`** record.

### Create a new record type

Now that you are capturing data, you need to tell the system how you want the data stored. This is done through the **record type**. The record type is how you define the data and how it should be stored. 

This opens a module like below. 

[Video-Capture-Record-Existing-Type](https://stream.mux.com/krUlEtj2uGpDMRlbGroiS02gngt6AWrvQ/high.mp4)

By default, the timestamp and story name is always captured. 

> **TIP:** Always use a unique, descriptive name for the record on the storyboard.

You will add fields for what you’d like captured. Today, the field result type options are text, number, true/false, timestamp or a list of fixed text values. 

[Video](https://stream.mux.com/uz00ScerOJAWEJIL21eVjOckadlbCDcHY/high.mp4)

> **NOTE:**
> For example:  
>   
> 
> If your story is conducting IOC analysis, you might want to keep a record of URLScan outputs to monitor trends. You could add fields to keep a record of the different URL outputs, such as: the URL analyzed, the URL ID, whether it has verdicts, whether it was identified as malicious, and the URLScan score.

Once you define the record type, you will click `save` and it will be automatically selected as the record type for the record capture. 

Now, you need to define the incoming data. 

### Define record type data

Since the incoming event data structure varies from one story to another, you need to define the incoming data for each record field. Before starting, ensure the capture record tool is connected to an incoming action.

1. Choose the record type from the drop-down list
2. Then, for each field reference the relevant data from the incoming action
3. Test the record by clicking `**run**` or **`test`**
4. When the run is complete, choose **`view record results`** to see the output on the record table

While running or testing the record tool, you may encounter incoming data type that does not match the defined record field type. When that happens:

1. If a record field is defined as a “number” but the incoming data is a “text”, empty data (essentially `null`) will be recorded, and you’ll see an error in the logs.
2. If a record field is defined as a “text” but the incoming data is a “number”, the value will be recorded as a “text”, e.g. `"10"`.
3. A record field defined as a “true/false” (essentially a boolean) can only record data that is `true` or `false`. If the incoming data is `0`, `no`, or `false`, it will be recorded as `false`. If the incoming data is `1`, `yes`, or `true`, it will be recorded as `true`. 
4. If a record field is defined as a “timestamp” but the incoming data is not a date time, empty data will be recorded and you'll see an error in the logs. A “timestamp”, regardless of the format, will be recorded as the [strftime format](https://strftime.net) `%Y-%m-%d %H:%M:%S`. For example:
  
  - “May 31st, 2023 4:17:33pm” will be recorded as `2023-05-31 16:17:33`.
  - “May 31st, 2023” will be recorded as `2023-05-31 00:00:00`.
5. If a record field is defined as "text (fixed values)" but the incoming data is not one of the fixed text values defined for the field, empty data will be recorded and you'll see an error in the logs.

## Record artifacts

Record artifacts function similarly to regular fields in the records table, making them visible both in the user interface when accessing the records table and via the API as fields on individual record rows. However, there are two notable differences. 

Unlike typical fields, artifacts enable the storage of raw logs or extensive data dumps directly within the Records table. Each artifact can accommodate up to 15,000 characters of data. 

Querying Record artifacts is not supported. To fully leverage this expanded storage capability, it's advisable to perform preprocessing at storage time.

> **TIP:**
> Record artifacts can't be queried directly; only structured record fields can. When you store raw data in an artifact, also parse the values you'll later want to filter, group, or chart by, and capture them as dedicated fields on the same record.
> 
> For example, when storing a full alert log in a record artifact, capture fields such as source, severity, and threat type alongside it. Those fields stay attached to the same record as the artifact, so you can query and visualize them without scanning the full payload.

## Navigate the records table

The records table is a view of all created records by record type. You can navigate to the records table from the storyboard or in the main top navigation by clicking `**records**`.

The fields on the record table will match the record type settings, and can be rearranged to best fit your needs.

Records charts allow you to visualize your data in multiple formats including: line, bar, pie, or stacked area charts.

[Video](https://stream.mux.com/ngN6aPYlXkUhsl6YYAjNFtdQyZapXV4l/high.mp4)

### Add charts for records reports

Add multiple data visualizations to a report for a more in-depth view. Customize them to fit your needs with the options to:

1. Rearrange and resize charts within the grid
2. Display a count, sum, or average for a record
3. Asynchronous loading so you can manually refresh the charts for improved performance

### Filter the records table

There are a few ways to filter the records view. You can filter by one or a combination of the options. 

1. Stories: select the story(ies) for which you want to see the associated records
2. Record table fields: filter by a specific field or the data within the field (note that the available operators are different for different field types)
  
  1. Equals (case insensitive)
  2. Does not equal (case insensitive)
  3. Is any of (case insensitive)
  4. Is none of (case insensitive)
  5. Is empty
  6. Is not empty
  7. Greater than or equal
  8. Greater than
  9. Less than or equal
  10. Less than
  11. Is true
  12. Is false
3. Date: set a timeframe for the records
4. Test or Live environment*: select to see records associated with the test or live version of a story(ies) 

**Change control must be enabled in order to select between test and live environments. *

The record table automatically updates based on the filters defined. 

### Export the records table

You can export a record view to a CSV by clicking the export button. It will export the data as you see it within the table.

## Parent-child relationships

Parent and child records allow you to create dependencies between records. The parent record denotes the source data capture for the parent-child relationship. 

When added to a case, all child records of the parent record are also added to the case.

> **NOTE:** For example: say we had an ***Alert*** record type in a story and wanted to include other downstream "observables" as part of that record type. We would set the downstream records up with the parent record, Alert.

### Configuring the parent record

In the build pane of the child record, you will turn on **`parent record`**.

Within the formula field, you will find the record the exact same way you pull event data. 

[Video](https://stream.mux.com/2AWkJUub5E02LNjBNNgYdS6D7VXf2tYH7/high.mp4)

**Note**: your parent record must be linked upstream of the child record.