Building automated, cloud-aware detection and response workflows.
Contents
1. Connecting Tines with Elastic Security
Objective:
Automate ingestion and triage of high-severity alerts from Elastic Security, enrich them with external intelligence, and create incident tickets automatically.
Step 1 – API Authentication
Elastic provides an API endpoint for alert queries using basic auth or API keys.
Example API call to fetch new alerts:
curl -X POST "https://elastic.example.com/api/detection_engine/signals/search" \
-H "kbn-xsrf: true" \
-H "Authorization: ApiKey ELASTIC_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"must": [
{ "match": { "signal.status": "open" } },
{ "range": { "@timestamp": { "gte": "now-15m" } } }
]
}
}
}'
Step 2 – Build the Story in Tines
- Action 1: HTTP Request to Elastic API (fetch alerts).
- Action 2: For each alert, extract IPs, usernames, and file hashes.
- Action 3: Enrich these indicators using the VirusTotal API.
- Action 4: Query CrowdStrike Falcon API for host and user details.
- Action 5: Post the full context to a Slack channel for analyst visibility.
- Action 6: Create a Jira ticket if the VirusTotal reputation score ≥ 70.
- Action 7: Push an updated alert status back to Elastic via API.
Example Tines “Event Transformation” JSON snippet:
{
"alert_id": "{{.response.hits.hits._id}}",
"indicator_ip": "{{.response.hits.hits._source.signal.rule.ip}}",
"virustotal_score": "{{.virustotal_response.data.attributes.reputation}}",
"crowdstrike_host": "{{.falcon_response.resources[0].hostname}}",
"status": "{{if gt .virustotal_score 70}}critical{{else}}review{{end}}"
}
2. Integrating AWS Security Hub for Cloud Incident Response
Objective:
Ingest findings from AWS Security Hub (GuardDuty, IAM, CloudTrail, EKS) and automatically enrich, contain, and escalate critical events.
Step 1 – Event Subscription
Tines can receive AWS findings via an SNS → HTTPS webhook subscription.
When a new finding is published in Security Hub, AWS sends a JSON event directly to your Tines “Receive Action” webhook.
Example AWS event payload:
{
"detail-type": "Security Hub Findings - Imported",
"source": "aws.securityhub",
"detail": {
"findings": [
{
"Title": "GuardDuty: EC2 instance communicating with known C2 server",
"Severity": { "Label": "High" },
"Resources": [
{ "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-0a1b2c3d4e5f" }
],
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub"
}
]
}
}
Step 2 – Automated Workflow in Tines
- Receive Action: Capture incoming AWS webhook payload.
- Extract Action: Parse out resource type (e.g. EC2 instance ID).
- Query Action: Call AWS API (via signed request or IAM role) to fetch instance details.
- Decision Action: If severity is “High”, trigger the containment sequence.
- Containment Actions:
- Isolate the EC2 instance by modifying its security group.
- Disable the IAM role associated with the finding.
- Enrichment Action: Lookup C2 IP in VirusTotal and internal intel feeds.
- Notify Action: Post results to Slack, tag the on-call CSIRT engineer.
- Report Action: Log all actions and context into Elastic or S3 for audit.
Example API call used in a Tines HTTP Request Action:
aws ec2 modify-instance-attribute \
--instance-id i-0a1b2c3d4e5f \
--groups sg-00011122233344455
3. Correlating AWS and Elastic Findings
A mature CSIRT environment often wants cross-correlation between cloud alerts and on-prem SIEM data.
Tines can automatically bridge this gap.
Workflow example:
- Receive AWS Security Hub finding.
- Extract related IPs or hostnames.
- Query Elastic Security for matching alerts from the same indicators.
- If matches are found → escalate to “priority incident” in Jira and Slack.
- Generate a summary report combining both AWS and Elastic evidence.
Result:
Cloud and on-prem data are correlated automatically, reducing analyst overhead and ensuring comprehensive visibility.
4. Automation Examples for Python-Compatible Logic
Even though Tines is low-code, you can incorporate Python-style conditional logic through the “Event Transformation” actions.
Example pseudologic (in a Tines-style transformation field):
{
"priority": "{{if and (eq .aws_finding.Severity.Label 'High') (gt .virustotal_score 80)}}Critical{{else}}Normal{{end}}",
"response_action": "{{if eq .priority 'Critical'}}Contain and escalate{{else}}Monitor{{end}}"
}
This enables dynamic decision-making similar to Python scripting but inside the visual workflow builder.
5. Reporting and Metrics
Tines integrates seamlessly with Elastic, allowing analysts to track automation metrics:
- Number of findings processed
- Average response time (MTTR)
- Incidents auto-contained vs manual
- Common enrichment sources
Example Tines → Elastic dashboard fields:
@timestamp
workflow_name
alert_source
severity
response_time_ms
analyst_name
containment_status
These metrics support continuous improvement — one of the core responsibilities in the Senior CSIRT Analyst role.
6. Benefits for the CSIRT Team
- Reduces alert fatigue by filtering and enriching only actionable findings.
- Automatically correlates Elastic and AWS alerts to give full context.
- Ensures consistent response handling via pre-built stories.
- Provides audit-ready evidence trails for compliance frameworks (ISO 27001, SOC 2).
- Improves team efficiency by turning repetitive tasks into automated playbooks.
Summary
Tines integrates deeply with both Elastic Security and AWS Security Hub, empowering CSIRT analysts to move from reactive response to proactive orchestration.
Its no-code structure means workflows can evolve quickly alongside threat detection logic, ensuring faster remediation, richer context, and better visibility across all layers of the environment.