Run by the staff at orchestration, AI, and automation platform Tines, the Tines library incorporates pre-built workflows shared by actual safety practitioners from throughout the neighborhood, all of that are free to import and deploy through the Group Version of the platform.
Their bi-annual “You Did What with Tines?!” competitors highlights among the most fascinating workflows submitted by their customers, lots of which display sensible purposes of huge language fashions (LLMs) to deal with complicated challenges in safety operations.
One latest winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Energy, a safety analyst at The College of British Columbia, it makes use of orchestration, AI and automation to scale back the time spent on guide reporting.
Right here, we’ll share an outline of the workflow, plus a step-by-step information for getting it up and operating.
The issue – time-consuming reporting
The workflow’s builder, Tom Energy, explains, “The CrowdStrike Falcon sensor goes into Lowered Performance Mode (RFM), normally as a result of the working system (OS) or kernel model is simply too previous or too new for the sensor to assist in kernel mode. Each week, SecOps would log into the Falcon console, and filter the host administration console for endpoints in RFM for the final week. We’d generate the report and obtain it.”
This course of offered crucial information for figuring out kernel updates inflicting RFM, notably for Linux endpoints. Nevertheless, it required the staff to manually test whether or not CrowdStrike had launched a brand new sensor model suitable with the newest kernel updates.
“Your entire course of took about half-hour every week,” Tom provides. “Over the course of a yr, that added as much as greater than 25 hours of time we might have spent on different cybersecurity priorities.”
The answer – automated RFM reporting with AI
Tom’s workflow automates the monitoring and reporting of Falcon Sensor RFM throughout hosts. By leveraging Tines’ AI-driven Automated Mode, it generates customized code to streamline report creation. The workflow not solely produces common, constant studies but additionally allows administration to watch tendencies in RFM occurrences, supporting proactive system well being administration and quicker decision-making.
The automated workflow eliminates the necessity for guide reporting by permitting analysts to submit requests through a easy internet type. Inside minutes, the workflow retrieves information, processes it, and delivers an actionable e mail report, full with detailed insights and a CSV attachment.
Instance output:
Here is a pattern of the auto-generated e mail and report acquired by the staff:
Listed here are among the key advantages of utilizing this workflow:
- Frees analysts to concentrate on high-priority cybersecurity duties.
- Reduces guide effort and the potential for human error.
- Delivers constant, dependable studies for improved productiveness.
- Enhances decision-making by offering real-time insights.
- Boosts morale by eradicating a tedious and repetitive activity.
Workflow overview
Instruments used:
- Tines – a workflow orchestration, AI and automation platform that is standard with safety groups. It is doable to make use of the free Group Version of Tines to construct and run this workflow if you do not have a paid account. AI have to be enabled in your tenant.
- CrowdStrike – endpoint detection and response (EDR) platform. This workflow integrates with CrowdStrike Falcon’s API to retrieve information about endpoints in Lowered Performance Mode (RFM). Whereas Falcon supplies sturdy endpoint visibility, it lacks native automation for recurring RFM studies.
The workflow is initiated when an internet type is submitted, triggering the method to generate CrowdStrike RFM studies.
The primary motion retrieves an inventory of system IDs from CrowdStrike Falcon’s API. If the record is bigger than what CrowdStrike returns within the first batch, a number of calls are made to paginate via the total record.
As soon as all of the system particulars are retrieved, the workflow consolidates them right into a single useful resource. This useful resource acts as the muse for evaluation, the place the variety of Linux, Home windows, and Mac hosts is calculated and appended to the info.
Utilizing the consolidated useful resource, the workflow generates an HTML abstract desk to current the info in a structured format. This desk is then transformed right into a CSV file, making it appropriate for reporting functions.
The CSV report is emailed to stakeholders for overview. To take care of effectivity and information hygiene, the workflow purges the non permanent useful resource after the e-mail is shipped, guaranteeing it’s prepared for the subsequent cycle.
By automating these steps, the workflow eliminates guide effort, reduces the danger of errors, and supplies constant, up-to-date reporting on gadgets in lowered performance mode throughout the setting.
Configuring the workflow – step-by-step information
- Log into Tines or create a brand new account.
- Guarantee AI is enabled in your tenant. For this, you want to be the tenant proprietor. Choose the account settings drop-down within the high left of your display, and test the field to show AI on.
- Create your CrowdStrike credential. From the credentials web page, choose New credential, scroll right down to the CrowdStrike credential and full the required fields.
- Navigate to the pre-built workflow within the library.
- Choose import. This could take you straight to your new pre-built workflow.
- Configure your actions. For instance, you might wish to edit the structure of the Tines web page that kicks off the workflow.
- Take a look at the workflow. Submit a picture through the shape to check your workflow.
- Publish your workflow and share the Web page URL together with your desired customers.
Constructing in different automation platforms
You possibly can use one other no-code automation platform to construct an identical service, though it is value noting that among the options on this workflow are distinctive to Tines:
- Pages: This workflow is kicked off by a submission to a type on an internet web page. That is constructed utilizing Tines’ Pages function.
- Different: Use a scheduled set off to kick off the workflow.
- Occasion Remodel in Automated Mode: This function makes use of build-time AI to compose Python code based mostly on the steering and the enter the builder supplies. When you save your modifications, the code is locked in place. Because of this when the motion runs, solely the code executes, and no AI is concerned.
- Different: Write Python code manually to rework your information.
If you would like to discover AI in Tines for your self or check out this workflow, you possibly can join a free account together with AI performance.
