Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.
The workflow we are highlighting streamlines security alert handling by automatically identifying and executing the appropriate Standard Operating Procedures (SOPs) from Confluence. When an alert triggers, AI agents analyze it, locate relevant SOPs, and perform required remediation steps – all while keeping the on-call team informed via Slack.
It was created by Michael Tolan, Security Researcher L2 at Tines, and Peter Wrenn, Senior Solutions Engineer at Tines.
In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.
The problem – manual alert triage and SOP execution
For security teams, responding to alerts efficiently requires quickly identifying the threat type, locating the appropriate SOP, and executing the required remediation steps.
From a workflow perspective, teams often have to:
- Manually analyze incoming security alerts
- Search through Confluence for relevant SOPs
- Document findings and actions in case management systems
- Execute multiple remediation steps across different security tools
- Update the case management system again after the fact
- Notify stakeholders about incidents and actions taken
This manual process is time-consuming, prone to human error, and can lead to inconsistent handling of similar alerts.
The solution – AI-powered alert triage with automated SOP execution
This prebuilt workflow automates the entire alert triage process by leveraging AI agents and Confluence SOPs. The workflow helps security teams respond faster and more consistently by:
- Using AI to analyze and classify incoming alerts
- Automatically locating relevant SOPs in Confluence
- Creating structured case records for tracking
- Deploying a second AI agent (subagent) to execute remediation steps
- Documenting all actions and notifying the on-call team via Slack
The result is a streamlined response to security alerts that ensures consistent handling according to established procedures.
Key benefits of this workflow
- Reduced mean time to remediation (MTTR)
- Consistent application of security procedures
- Comprehensive documentation of all actions taken
- Reduced analyst fatigue from repetitive tasks
- Improved visibility through automated notifications
Workflow overview
Tools used:
- Tines – workflow orchestration and AI platform (free Community Edition available)
- Confluence – knowledge management platform for SOPs
This specific workflow also uses the following pieces of software. However, you can use whatever enrichment/remediation tools currently existing within your technology stack alongside Tines and Confluence.
- CrowdStrike – threat intelligence and EDR platform
- AbuseIPDB – IP reputation database
- EmailRep – email reputation service
- Okta – identity and access management
- Slack – team collaboration platform
- Tavily – AI research tool
- URLScan.io – URL analysis service
- VirusTotal – file and URL scanning service
How it works
Part 1: Alert Ingestion and Analysis
- Receive security alert from integrated security tools
- AI agent analyzes the alert to determine type and severity
- System searches Confluence for relevant SOPs based on alert classification
- Create a case record with alert details and identified SOP
Part 2: Remediation and Documentation
- Second AI agent reviews the case and SOP instructions
- AI agent orchestrates remediation actions across appropriate security tools
- All actions are documented in the case history
- Slack notification is sent to the on-call team with alert details and actions taken
Configuring the workflow – step-by-step guide
1. Log into Tines or create a new account.
2. Navigate to the pre-built workflow in the library. Select import.
3. Set up your credentials
You’ll need credentials for all the tools used in this workflow. You can add or remove whatever tools you wish to suit your environment.
- Confluence
- CrowdStrike
- AbuseIPDB
- EmailRep
- Okta
- Slack
- Tavily
- URLScan.io
- VirusTotal
From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the credential guides at explained.tines.com if you need help.
4. Configure your actions.
Set your environment variables. In this particular workflow, that specifically requires setting the Slack channel for notifications (hardcoded to #alerts by default, but can be adjusted in the Slack action).
5. Customize the AI prompts
The workflow includes two key AI agents:
- Alert Analysis Agent: Customize the prompt to help identify alert types
- Remediation Agent: Customize the prompt to guide remediation actions
6. Test the workflow.
Create a test alert to verify:
- Alert is properly classified
- Correct SOP is retrieved from Confluence
- Case is created with appropriate details
- Remediation steps are executed
- Slack notification is sent
7. Publish and operationalize
Once tested, publish the workflow and integrate with your security tools to begin receiving live alerts.
If you’d like to test this workflow, you can sign up for a free Tines account.
