Run by the crew at orchestration, AI, and automation platform Tines, the Tines library accommodates pre-built workflows shared by actual safety practitioners from throughout the group, all of that are free to import and deploy by way of the Group Version of the platform.
Their bi-annual “You Did What with Tines?!” competitors highlights a few of the most fascinating workflows submitted by their customers, lots of which show sensible purposes of huge language fashions (LLMs) to deal with complicated challenges in safety operations.
One current winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Energy, a safety analyst at The College of British Columbia, it makes use of orchestration, AI and automation to scale back the time spent on handbook reporting.
Right here, we’ll share an summary of the workflow, plus a step-by-step information for getting it up and working.
The issue – time-consuming reporting
The workflow’s builder, Tom Energy, explains, “The CrowdStrike Falcon sensor goes into Diminished Performance Mode (RFM), often as a result of the working system (OS) or kernel model is simply too outdated or too new for the sensor to assist in kernel mode. Each week, SecOps would log into the Falcon console, and filter the host administration console for endpoints in RFM for the final week. We might generate the report and obtain it.”
This course of offered vital knowledge for figuring out kernel updates inflicting RFM, significantly for Linux endpoints. Nevertheless, it required the crew to manually examine whether or not CrowdStrike had launched a brand new sensor model appropriate with the most recent kernel updates.
“The whole course of took about half-hour every week,” Tom provides. “Over the course of a 12 months, that added as much as greater than 25 hours of time we may have spent on different cybersecurity priorities.”
The answer – automated RFM reporting with AI
Tom’s workflow automates the monitoring and reporting of Falcon Sensor RFM throughout hosts. By leveraging Tines’ AI-driven Automated Mode, it generates customized code to streamline report creation. The workflow not solely produces common, constant stories but additionally allows administration to watch traits in RFM occurrences, supporting proactive system well being administration and sooner decision-making.
The automated workflow eliminates the necessity for handbook reporting by permitting analysts to submit requests by way of a easy net type. Inside minutes, the workflow retrieves knowledge, processes it, and delivers an actionable e-mail report, full with detailed insights and a CSV attachment.
Instance output:
This is a pattern of the auto-generated e-mail and report obtained by the crew:
Listed here are a few of the key advantages of utilizing this workflow:
- Frees analysts to give attention to high-priority cybersecurity duties.
- Reduces handbook effort and the potential for human error.
- Delivers constant, dependable stories for improved productiveness.
- Enhances decision-making by offering real-time insights.
- Boosts morale by eradicating a tedious and repetitive activity.
Workflow overview
Instruments used:
- Tines – a workflow orchestration, AI and automation platform that is widespread with safety groups. It is doable to make use of the free Group Version of Tines to construct and run this workflow if you do not have a paid account. AI should be enabled in your tenant.
- CrowdStrike – endpoint detection and response (EDR) platform. This workflow integrates with CrowdStrike Falcon’s API to retrieve knowledge about endpoints in Diminished Performance Mode (RFM). Whereas Falcon gives strong endpoint visibility, it lacks native automation for recurring RFM stories.
The workflow is initiated when an online type is submitted, triggering the method to generate CrowdStrike RFM stories.
The primary motion retrieves an inventory of gadget IDs from CrowdStrike Falcon’s API. If the checklist is bigger than what CrowdStrike returns within the first batch, a number of calls are made to paginate by way of the total checklist.
As soon as all of the gadget particulars are retrieved, the workflow consolidates them right into a single useful resource. This useful resource acts as the muse for evaluation, the place the variety of Linux, Home windows, and Mac hosts is calculated and appended to the information.
Utilizing the consolidated useful resource, the workflow generates an HTML abstract desk to current the information in a structured format. This desk is then transformed right into a CSV file, making it appropriate for reporting functions.
The CSV report is emailed to stakeholders for overview. To take care of effectivity and knowledge hygiene, the workflow purges the non permanent useful resource after the e-mail is distributed, guaranteeing it’s prepared for the following cycle.
By automating these steps, the workflow eliminates handbook effort, reduces the chance of errors, and gives constant, up-to-date reporting on units in diminished performance mode throughout the surroundings.
Configuring the workflow – step-by-step information
- Log into Tines or create a brand new account.
- Guarantee AI is enabled in your tenant. For this, you’ll want to be the tenant proprietor. Choose the account settings drop-down within the prime left of your display, and examine the field to show AI on.
- Create your CrowdStrike credential. From the credentials web page, choose New credential, scroll right down to the CrowdStrike credential and full the required fields.
- Navigate to the pre-built workflow within the library.
- Choose import. This could take you straight to your new pre-built workflow.
- Configure your actions. For instance, you could wish to edit the format of the Tines web page that kicks off the workflow.
- Take a look at the workflow. Submit a picture by way of the shape to check your workflow.
- Publish your workflow and share the Web page URL along with your desired customers.
Constructing in different automation platforms
You could possibly use one other no-code automation platform to construct an analogous service, though it is price noting that a few of the options on this workflow are distinctive to Tines:
- Pages: This workflow is kicked off by a submission to a type on an online web page. That is constructed utilizing Tines’ Pages function.
- Different: Use a scheduled set off to kick off the workflow.
- Occasion Rework in Automated Mode: This function makes use of build-time AI to compose Python code based mostly on the steerage and the enter the builder gives. When you save your adjustments, the code is locked in place. Which means that when the motion runs, solely the code executes, and no AI is concerned.
- Different: Write Python code manually to rework your knowledge.
If you would like to discover AI in Tines for your self or take a look at out this workflow, you may join a free account together with AI performance.
