Category: SOAR – Security Orchestration Automation and Response

Building automated, cloud-aware detection and response workflows.

1. Connecting Tines with Elastic Security

Objective:
Automate ingestion and triage of high-severity alerts from Elastic Security, enrich them with external intelligence, and create incident tickets automatically.

Step 1 – API Authentication

Elastic provides an API endpoint for alert queries using basic auth or API keys.
Example API call to fetch new alerts:

curl -X POST "https://elastic.example.com/api/detection_engine/signals/search" \
     -H "kbn-xsrf: true" \
     -H "Authorization: ApiKey ELASTIC_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{
       "query": {
         "bool": {
           "must": [
             { "match": { "signal.status": "open" } },
             { "range": { "@timestamp": { "gte": "now-15m" } } }
           ]
         }
       }
     }'

curl -X POST "https://elastic.example.com/api/detection_engine/signals/search" \
     -H "kbn-xsrf: true" \
     -H "Authorization: ApiKey ELASTIC_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{
       "query": {
         "bool": {
           "must": [
             { "match": { "signal.status": "open" } },
             { "range": { "@timestamp": { "gte": "now-15m" } } }
           ]
         }
       }
     }'

Step 2 – Build the Story in Tines

1. Action 1: HTTP Request to Elastic API (fetch alerts).
2. Action 2: For each alert, extract IPs, usernames, and file hashes.
3. Action 3: Enrich these indicators using the VirusTotal API.
4. Action 4: Query CrowdStrike Falcon API for host and user details.
5. Action 5: Post the full context to a Slack channel for analyst visibility.
6. Action 6: Create a Jira ticket if the VirusTotal reputation score ≥ 70.
7. Action 7: Push an updated alert status back to Elastic via API.

Example Tines “Event Transformation” JSON snippet:

{
  "alert_id": "{{.response.hits.hits._id}}",
  "indicator_ip": "{{.response.hits.hits._source.signal.rule.ip}}",
  "virustotal_score": "{{.virustotal_response.data.attributes.reputation}}",
  "crowdstrike_host": "{{.falcon_response.resources[0].hostname}}",
  "status": "{{if gt .virustotal_score 70}}critical{{else}}review{{end}}"
}

{
  "alert_id": "{{.response.hits.hits._id}}",
  "indicator_ip": "{{.response.hits.hits._source.signal.rule.ip}}",
  "virustotal_score": "{{.virustotal_response.data.attributes.reputation}}",
  "crowdstrike_host": "{{.falcon_response.resources[0].hostname}}",
  "status": "{{if gt .virustotal_score 70}}critical{{else}}review{{end}}"
}

2. Integrating AWS Security Hub for Cloud Incident Response

Objective:
Ingest findings from AWS Security Hub (GuardDuty, IAM, CloudTrail, EKS) and automatically enrich, contain, and escalate critical events.

Step 1 – Event Subscription

Tines can receive AWS findings via an SNS → HTTPS webhook subscription.
When a new finding is published in Security Hub, AWS sends a JSON event directly to your Tines “Receive Action” webhook.

Example AWS event payload:

{
  "detail-type": "Security Hub Findings - Imported",
  "source": "aws.securityhub",
  "detail": {
    "findings": [
      {
        "Title": "GuardDuty: EC2 instance communicating with known C2 server",
        "Severity": { "Label": "High" },
        "Resources": [
          { "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-0a1b2c3d4e5f" }
        ],
        "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
      }
    ]
  }
}

{
  "detail-type": "Security Hub Findings - Imported",
  "source": "aws.securityhub",
  "detail": {
    "findings": [
      {
        "Title": "GuardDuty: EC2 instance communicating with known C2 server",
        "Severity": { "Label": "High" },
        "Resources": [
          { "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-0a1b2c3d4e5f" }
        ],
        "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
      }
    ]
  }
}

Step 2 – Automated Workflow in Tines

1. Receive Action: Capture incoming AWS webhook payload.
2. Extract Action: Parse out resource type (e.g. EC2 instance ID).
3. Query Action: Call AWS API (via signed request or IAM role) to fetch instance details.
4. Decision Action: If severity is “High”, trigger the containment sequence.
5. Containment Actions:
   • Isolate the EC2 instance by modifying its security group.
   • Disable the IAM role associated with the finding.
6. Enrichment Action: Lookup C2 IP in VirusTotal and internal intel feeds.
7. Notify Action: Post results to Slack, tag the on-call CSIRT engineer.
8. Report Action: Log all actions and context into Elastic or S3 for audit.

Example API call used in a Tines HTTP Request Action:

aws ec2 modify-instance-attribute \
  --instance-id i-0a1b2c3d4e5f \
  --groups sg-00011122233344455

aws ec2 modify-instance-attribute \
  --instance-id i-0a1b2c3d4e5f \
  --groups sg-00011122233344455

3. Correlating AWS and Elastic Findings

A mature CSIRT environment often wants cross-correlation between cloud alerts and on-prem SIEM data.
Tines can automatically bridge this gap.

Workflow example:

1. Receive AWS Security Hub finding.
2. Extract related IPs or hostnames.
3. Query Elastic Security for matching alerts from the same indicators.
4. If matches are found → escalate to “priority incident” in Jira and Slack.
5. Generate a summary report combining both AWS and Elastic evidence.

Result:
Cloud and on-prem data are correlated automatically, reducing analyst overhead and ensuring comprehensive visibility.

4. Automation Examples for Python-Compatible Logic

Even though Tines is low-code, you can incorporate Python-style conditional logic through the “Event Transformation” actions.

Example pseudologic (in a Tines-style transformation field):

{
  "priority": "{{if and (eq .aws_finding.Severity.Label 'High') (gt .virustotal_score 80)}}Critical{{else}}Normal{{end}}",
  "response_action": "{{if eq .priority 'Critical'}}Contain and escalate{{else}}Monitor{{end}}"
}

{
  "priority": "{{if and (eq .aws_finding.Severity.Label 'High') (gt .virustotal_score 80)}}Critical{{else}}Normal{{end}}",
  "response_action": "{{if eq .priority 'Critical'}}Contain and escalate{{else}}Monitor{{end}}"
}

This enables dynamic decision-making similar to Python scripting but inside the visual workflow builder.

5. Reporting and Metrics

Tines integrates seamlessly with Elastic, allowing analysts to track automation metrics:

• Number of findings processed
• Average response time (MTTR)
• Incidents auto-contained vs manual
• Common enrichment sources

Example Tines → Elastic dashboard fields:

@timestamp  
workflow_name  
alert_source  
severity  
response_time_ms  
analyst_name  
containment_status  

@timestamp  
workflow_name  
alert_source  
severity  
response_time_ms  
analyst_name  
containment_status  

These metrics support continuous improvement — one of the core responsibilities in the Senior CSIRT Analyst role.

6. Benefits for the CSIRT Team

• Reduces alert fatigue by filtering and enriching only actionable findings.
• Automatically correlates Elastic and AWS alerts to give full context.
• Ensures consistent response handling via pre-built stories.
• Provides audit-ready evidence trails for compliance frameworks (ISO 27001, SOC 2).
• Improves team efficiency by turning repetitive tasks into automated playbooks.

Summary

Tines integrates deeply with both Elastic Security and AWS Security Hub, empowering CSIRT analysts to move from reactive response to proactive orchestration.
Its no-code structure means workflows can evolve quickly alongside threat detection logic, ensuring faster remediation, richer context, and better visibility across all layers of the environment.

Tines for CSIRT Analysts – Automating Detection and Response in Hybrid Environments

Bringing automation, speed and consistency to modern incident response.

Overview

In a modern CSIRT (Computer Security Incident Response Team), analysts handle a continuous stream of alerts across cloud, on-premise, and hybrid infrastructures.
Manual triage, enrichment, and escalation consume time that could be spent hunting or improving detections.

Tines solves this challenge by providing a low-code automation layer that connects directly to cloud APIs, SIEMs such as Elastic, Azure Sentinel, and AWS Security Hub, and security tooling including CrowdStrike, VirusTotal, and Slack.

This page focuses on how a CSIRT analyst can operationalise Tines within a detection and response workflow — directly aligning with the core requirements of a Senior CSIRT Analyst role.

Why Tines Matters for CSIRT Operations

• Speed and consistency: Automates enrichment and containment tasks, reducing Mean Time To Respond (MTTR).
• Multi-cloud integration: Natively connects to AWS, Azure, and on-prem systems through API authentication.
• Elastic integration: Pull alerts or IOC data directly from Elastic Security, trigger automated playbooks, and push results back for correlation.
• Transparency and auditability: Each workflow (“Story”) is visual, version-controlled, and easy to review during audits.
• Scalability: Easily extends across multiple environments and tools without heavy infrastructure.

Example Tines Stories for a CSIRT Analyst

1. AWS GuardDuty Auto-Triage and Enrichment

Trigger: GuardDuty event ingested via AWS Security Hub.
Actions:

1. Retrieve the event payload from Security Hub.
2. Query the affected asset in CrowdStrike Falcon for hostname, user, and recent detections.
3. Enrich indicators (IP, domain, hash) through VirusTotal and internal threat intel feeds.
4. Determine severity based on enrichment results and MITRE ATT&CK mapping.
5. If severity is high → isolate the EC2 instance or disable the IAM user.
6. Create a Jira ticket and send a Slack summary to the on-call SOC channel.
7. Log results in Elastic for further correlation and reporting.

Outcome: Full enrichment and containment completed in seconds, with all actions documented automatically.

2. Elastic SIEM Correlation and Case Creation

Trigger: High-fidelity alert generated in Elastic Security.
Actions:

1. Query Elastic for associated events in the same session or user timeline.
2. Cross-check asset reputation using Shodan, AbuseIPDB, and ThreatFox APIs.
3. Post results to Slack with analyst reaction buttons (Mark Safe / Investigate Further).
4. If “Investigate” is selected → automatically open a case in Jira and enrich with previous incidents.
5. Generate a summary back into Elastic for tracking and metric dashboards.

Outcome: Analysts spend less time switching tools, and investigations are instantly correlated.

3. Kubernetes Security Alert Enrichment

Trigger: Detection from container runtime or AWS EKS logs (via Elastic or CloudWatch).
Actions:

1. Parse pod metadata from the event.
2. Retrieve image hash and check against Docker Hub or Trivy vulnerability scan.
3. Enrich results using Elastic APM traces to identify the impacted microservice.
4. Notify Slack with contextual data and rollback guidance.
5. Create a ticket for DevSecOps follow-up if the issue relates to an outdated image.

Outcome: Automated enrichment provides instant insight into container-level threats.

4. Azure Sentinel Credential Misuse Workflow

Trigger: Sentinel alert for suspicious sign-in or privilege escalation.
Actions:

1. Extract user ID and session IP from the alert.
2. Validate location data against Azure AD sign-in logs.
3. Enrich IP with MaxMind GeoIP and internal VPN IP lists.
4. If IP is external and not on approved ranges, disable account in Azure AD and notify SecOps.
5. Generate a response ticket with enrichment context.

Integrations and API Examples

Tines and Threat Hunting

Beyond incident response, Tines can assist with threat-hunting automation.
Analysts can schedule recurring queries against Elastic, AWS CloudTrail, or Azure Activity Logs, automatically collate results, and publish findings to Confluence or dashboards.
This creates a repeatable, auditable hunt process — one of the key responsibilities of a senior CSIRT analyst.

Aligning with the CSIRT Analyst Role

For a Senior CSIRT Analyst, the goal isn’t just automation for its own sake — it’s about reducing friction between detection, enrichment, and response.
Tines supports this by:

• Turning Elastic or Security Hub alerts into structured response playbooks.
• Allowing proactive hunt automation in Python-style logic but through a visual interface.
• Standardising evidence collection for IR reports.
• Supporting collaboration with DevOps via Slack and ticketing integrations.
• Reducing analyst fatigue by automating common triage and escalation steps.

In Practice

Even if you haven’t used Tines directly, experience with:

• PowerShell and Bash scripting,
• Splunk or Taegis playbooks, and
• API-driven automation

translates directly.
These same principles — event-driven logic, enrichment, decision branching, and orchestration — are what Tines simplifies.

Example Visual Flow

A typical GuardDuty response story:
AWS Security Hub → CrowdStrike → VirusTotal → Decision (Severity > 70?) → Contain IAM User → Notify Slack → Create Jira Ticket → Log in Elastic

Conclusion

Tines provides a scalable, auditable way to operationalise automation across the CSIRT environment.
Whether enriching alerts from Elastic, correlating AWS findings, or orchestrating container response actions, it enables analysts to respond faster, collaborate better, and continuously improve the organisation’s defensive posture.