Use Case

Endpoint detection and response

Receive, process, and remediate EDR alerts in real time

Automate this workflow

The problem 

Endpoint Detection and Response (EDR) alerts are of critical importance to the security operations center. Each alert represents a potential security incident and demands careful analysis and investigation.

However, alert fatigue is real. 83% of cybersecurity professionals reported struggling to cope with the near-constant barrage of alerts and complex event management (SIEM) tools.

The solution 

Tines can entirely automate the repetitive components of EDR alert management.

  • Receive alerts in real time from one or more endpoint tools.

  • Gather context from everywhere – SIEM, firewall, HRIS, and other enterprise tools.

  • Eliminate noise through deduplication of previously encountered alerts and ignorable characteristics.

  • Enrich observables using threat intelligence and previous event history.

  • Open a ticket unifying all data in your case management/collaboration tool.

  • Initiate response actions like quarantining devices, alerting on-call teams, blocking IOCs, etc.

In automating EDR, Tines was extremely easy to plug into everything, receive the alerts we wanted, and have it process them. It has taken hours off our work. Even preparing incident tickets alone used to take 30 minutes – now Tines does that for us without us lifting a finger.

Joel Perez-Sanchez
Security Engineer
Logo of Joel Perez-Sanchez

Your workflow, built your way

Every company's EDR workflow is unique. Tines allows you to model your process exactly as you see fit, with unrivalled flexibility and power.

From analyst to automator

Analysts who previously spent time manually analyzing abuse cases now maintain and creatively improve the process.

Defer to a human

Use a Tines prompt to pause the automated workflow at critical points when required, to get an input of human judgment from a real analyst.


What tools can Tines consume EDR alerts from?

Tines can consume from any tool. Whether the alerts arrive via a webhook, email, or even if they need to be periodically fetched on a schedule, Tines can handle them. Our customers frequently process alerts from major platforms like CrowdStrike, Carbon Black, and SentinelOne – but also from niche and internal tools.

How does case management and collaboration work?

Our philosophy is to ruthlessly focus on helping you automate the tools you already have in your stack. When it comes to case management, our customers use Tines to automatically document, track, and assign tickets in tools like JIRA, ServiceNow, or The Hive.

How does Tines help deduplicate recurring alerts?

Effective EDR management is all about boosting signal and reducing noise. Tines built-in deduplicate event transformation mode can protect against alerts that have already been encountered for a period of time. This could be based on a unique identifier, for instance, or on a fuzzier set of criteria (for example issue of type X on endpoint Y involving IP address Z).

Additionally, Tines makes it easy to first query a case management system or system of record before allowing an alert to continue, to make sure it hasn't already been handled.

What about enrichment of observables?

After gathering contextual data to fully understand the alert – from SIEM, firewall, HR information system, etc – the next step is generally to enrich. Tines has out-of-the-box Action Templates for all of the major threat intelligence platforms like GreyNoise, URLScan, Cyware, Anomali etc, and can directly integrate with all other such APIs.

security teams

Get started