Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform.
Their bi-annual “You Did What with Tines?!” competition highlights some of the most interesting workflows submitted by their users, many of which demonstrate practical applications of large language models (LLMs) to address complex challenges in security operations.
One recent winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Power, a security analyst at The University of British Columbia, it uses orchestration, AI and automation to reduce the time spent on manual reporting.
Here, we’ll share an overview of the workflow, plus a step-by-step guide for getting it up and running.
The problem – time-consuming reporting
The workflow’s builder, Tom Power, explains, “The CrowdStrike Falcon sensor goes into Reduced Functionality Mode (RFM), usually because the operating system (OS) or kernel version is too old or too new for the sensor to support in kernel mode. Every week, SecOps would log into the Falcon console, and filter the host management console for endpoints in RFM for the last week. We would generate the report and download it.”
This process provided critical data for identifying kernel updates causing RFM, particularly for Linux endpoints. However, it required the team to manually check whether CrowdStrike had released a new sensor version compatible with the latest kernel updates.
“The entire process took about 30 minutes each week,” Tom adds. “Over the course of a year, that added up to more than 25 hours of time we could have spent on other cybersecurity priorities.”
The solution – automated RFM reporting with AI
Tom’s workflow automates the tracking and reporting of Falcon Sensor RFM across hosts. By leveraging Tines’ AI-driven Automatic Mode, it generates custom code to streamline report creation. The workflow not only produces regular, consistent reports but also enables management to monitor trends in RFM occurrences, supporting proactive system health management and faster decision-making.
The automated workflow eliminates the need for manual reporting by allowing analysts to submit requests via a simple web form. Within minutes, the workflow retrieves data, processes it, and delivers an actionable email report, complete with detailed insights and a CSV attachment.
Example output:
Here’s a sample of the auto-generated email and report received by the team:
Here are some of the key benefits of using this workflow:
- Frees analysts to focus on high-priority cybersecurity tasks.
- Reduces manual effort and the potential for human error.
- Delivers consistent, reliable reports for improved productivity.
- Enhances decision-making by providing real-time insights.
- Boosts morale by removing a tedious and repetitive task.
Workflow overview
Tools used:
- Tines – a workflow orchestration, AI and automation platform that’s popular with security teams. It’s possible to use the free Community Edition of Tines to build and run this workflow if you don’t have a paid account. AI must be enabled on your tenant.
- CrowdStrike – endpoint detection and response (EDR) platform. This workflow integrates with CrowdStrike Falcon’s API to retrieve data about endpoints in Reduced Functionality Mode (RFM). While Falcon provides robust endpoint visibility, it lacks native automation for recurring RFM reports.
The workflow is initiated when a web form is submitted, triggering the process to generate CrowdStrike RFM reports.
The first action retrieves a list of device IDs from CrowdStrike Falcon’s API. If the list is larger than what CrowdStrike returns in the first batch, multiple calls are made to paginate through the full list.
Once all the device details are retrieved, the workflow consolidates them into a single resource. This resource acts as the foundation for analysis, where the number of Linux, Windows, and Mac hosts is calculated and appended to the data.
Using the consolidated resource, the workflow generates an HTML summary table to present the data in a structured format. This table is then converted into a CSV file, making it suitable for reporting purposes.
The CSV report is emailed to stakeholders for review. To maintain efficiency and data hygiene, the workflow purges the temporary resource after the email is sent, ensuring it is ready for the next cycle.
By automating these steps, the workflow eliminates manual effort, reduces the risk of errors, and provides consistent, up-to-date reporting on devices in reduced functionality mode across the environment.
Configuring the workflow – step-by-step guide
- Log into Tines or create a new account.
- Ensure AI is enabled on your tenant. For this, you need to be the tenant owner. Select the account settings drop-down in the top left of your screen, and check the box to turn AI on.
- Create your CrowdStrike credential. From the credentials page, select New credential, scroll down to the CrowdStrike credential and complete the required fields.
- Navigate to the pre-built workflow in the library.
- Select import. This should take you straight to your new pre-built workflow.
- Configure your actions. For example, you may like to edit the layout of the Tines page that kicks off the workflow.
- Test the workflow. Submit an image via the form to test your workflow.
- Publish your workflow and share the Page URL with your desired users.
Building in other automation platforms
You could use another no-code automation platform to build a similar service, although it’s worth noting that some of the features in this workflow are unique to Tines:
- Pages: This workflow is kicked off by a submission to a form on a web page. This is built using Tines’ Pages feature.
- Alternative: Use a scheduled trigger to kick off the workflow.
- Event Transform in Automatic Mode: This feature uses build-time AI to compose Python code based on the guidance and the input the builder provides. Once you save your changes, the code is locked in place. This means that when the action runs, only the code executes, and no AI is involved.
- Alternative: Write Python code manually to transform your data.
If you’d like to explore AI in Tines for yourself or test out this workflow, you can sign up for a free account including AI functionality.