Managed by the Tines orchestration, AI and automation platform team, the Tines library contains pre-built workflows used by real security professionals from across the community, all of which are free to import and deploy via Community edition platform.
Their twice-yearly “You Did What with Tines?!” the competition highlights some of the most interesting workflows submitted by their users, many of which demonstrate the practical application of large-scale language models (LLM) to solve complex problems in security operations.
One recent winner is a workflow designed to automate CrowdStrike RFM reports. Developed by Tom Power, a security analyst at the University of British Columbia, it uses orchestration, artificial intelligence and automation to reduce the time spent creating reports manually.
Here, we’ll share an overview of the workflow as well as a step-by-step guide to getting it up and running.
The problem is time-consuming reporting
Workflow Designer, Tom Power, explains: “The CrowdStrike Falcon sensor goes into Limited Functionality Mode (RFM) usually because the operating system (OS) or kernel version is too old or too new for the sensor to support it in kernel mode. week, SecOps would log into the Falcon console and filter the host management console for endpoints in RFM for the past week. We would create a report and upload it.”
This process provided important data to identify kernel updates that trigger RFM, especially for Linux endpoints. However, the team was required to manually check if CrowdStrike had released a new version of the sensor compatible with the latest kernel updates.
“The whole process took about 30 minutes each week,” adds Tom. “Over the course of the year, this added over 25 hours of time that we could have spent on other cybersecurity priorities.”
The solution is automated RFM reporting with AI
Tom’s workflow automates Falcon Sensor RFM tracking and reporting across hosts. Using Tines’ AI-driven automatic mode, it generates custom code to simplify report creation. The workflow not only generates regular, consistent reports, but also allows management to track trends in RFM occurrences, supporting proactive system health management and faster decision-making.
An automated workflow eliminates the need for manual reporting by allowing analysts to submit requests through a simple web form. Within minutes, the workflow extracts the data, processes it, and sends an actionable report via email with detailed information and a CSV attachment.
Example output:
Here’s a sample of the auto-generated email and report the team received:
Here are some key benefits of using this workflow:
- Frees analysts to focus on high-priority cybersecurity tasks.
- Reduces manual effort and the potential for human error.
- Provides consistent, reliable reporting to improve productivity.
- Improves decision-making by providing real-time information.
- Boosts morale by removing a tedious and repetitive task.
Workflow overview
Tools used:
- Tines is a workflow orchestration, AI and automation platform popular among security services. If you don’t have a paid account, you can use the free edition of Tines to get this workflow up and running. AI must be enabled on your tenant.
- CrowdStrike is an endpoint detection and response (EDR) platform. This workflow integrates with the CrowdStrike Falcon API to retrieve endpoint data in Limited Functionality Mode (RFM). While Falcon provides robust endpoint visibility, it lacks native automation for periodic RFM reporting.
The workflow is triggered when a web form is submitted, which triggers the CrowdStrike RFM reporting process.
The first action retrieves a list of device IDs from the CrowdStrike Falcon API. If the list is larger than what CrowdStrike returns in the first batch, multiple calls are made to paginate the entire list.
After receiving all device details, the workflow merges them into a single resource. This resource is the basis for the analysis where the number of Linux, Windows and Mac hosts is calculated and added to the data.
Using the consolidated resource, the workflow creates an HTML pivot table to present the data in a structured format. This table is then converted to a CSV file, making it suitable for reporting.
The CSV report is emailed to stakeholders for review. To maintain efficiency and data hygiene, the workflow flushes the temporary resource after sending the email, ensuring it is ready for the next cycle.
By automating these steps, the workflow eliminates manual effort, reduces the risk of error, and provides consistent, up-to-date reporting of limited-functionality devices across the entire environment.
Workflow setup – step-by-step guide
- Log in to Tines or create a new account.
- Make sure AI is enabled on your tenant. To do this, you need to be the owner of the tenant. Select the Account Settings drop-down menu in the upper left corner of the screen and check the box to enable AI.
- Create your CrowdStrike credentials. On the Credentials page, select New Credentials, scroll down to CrowdStrike Credentials, and fill in the required fields.
- Go to pre-created workflow in the library.
- Select import. This will take you straight to your new pre-built workflow.
- Customize your actions. For example, you can edit the layout of the Tines page that starts the workflow.
- Check the workflow. Submit an image through the form to test your workflow.
- Publish your workflow and share the page URL with the right users.
Integration with other automation platforms
You can use another no-code automation platform to create a similar service, although it’s worth noting that some features of this workflow are unique to Tines:
- pages: This workflow starts with submitting a form on a web page. This is built using Tines’ Pages feature.
- Alternative: Use a scheduled trigger to start a workflow.
- Converting an event automatically: This feature uses artificial intelligence at build time to generate Python code based on the instructions and input provided by the constructor. After you save the changes, the code will be locked in place. This means that when an action is executed, only the code is executed and no artificial intelligence is involved.
- Alternative: Write Python code by hand to transform your data.
If you want to learn AI in Tines yourself or try out this workflow, you can subscribe to free account including artificial intelligence functionality.
