• Technology

    How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines

    AnyFans Posted on

    How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines

    Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.
    The workflow we are highlighting streamlines security alert handling by automatically identifying and executing the appropriate Standard Operating Procedures (SOPs) from Confluence. When an alert triggers, AI agents analyze it, locate relevant SOPs, and perform required remediation steps – all while keeping the on-call team informed via Slack.
    It was created by Michael Tolan, Security Researcher L2 at Tines, and Peter Wrenn, Senior Solutions Engineer at Tines.
    In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.
    The problem – manual alert triage and SOP execution
    For security teams, responding to alerts efficiently requires quickly identifying the threat type, locating the appropriate SOP, and executing the required remediation steps.
    From a workflow perspective, teams often have to:
    Manually analyze incoming security alerts
    Search through Confluence for relevant SOPs
    Document findings and actions in case management systems
    Execute multiple remediation steps across different security tools
    Update the case management system again after the fact
    Notify stakeholders about incidents and actions taken
    This manual process is time-consuming, prone to human error, and can lead to inconsistent handling of similar alerts.
    The solution – AI-powered alert triage with automated SOP execution
    This prebuilt workflow automates the entire alert triage process by leveraging AI agents and Confluence SOPs. The workflow helps security teams respond faster and more consistently by:
    Using AI to analyze and classify incoming alerts
    Automatically locating relevant SOPs in Confluence
    Creating structured case records for tracking
    Deploying a second AI agent (subagent) to execute remediation steps
    Documenting all actions and notifying the on-call team via Slack
    The result is a streamlined response to security alerts that ensures consistent handling according to established procedures.
    Key benefits of this workflow
    Reduced mean time to remediation (MTTR)
    Consistent application of security procedures
    Comprehensive documentation of all actions taken
    Reduced analyst fatigue from repetitive tasks
    Improved visibility through automated notifications
    Workflow overview
    Tools used:
    Tines – workflow orchestration and AI platform (free Community Edition available)
    Confluence – knowledge management platform for SOPs
    This specific workflow also uses the following pieces of software. However, you can use whatever enrichment/remediation tools currently existing within your technology stack alongside Tines and Confluence.
    CrowdStrike – threat intelligence and EDR platform
    AbuseIPDB – IP reputation database
    EmailRep – email reputation service
    Okta – identity and access management
    Slack – team collaboration platform
    Tavily – AI research tool
    URLScan.io – URL analysis service
    VirusTotal – file and URL scanning service
    How it works
    Part 1: Alert Ingestion and Analysis
    Receive security alert from integrated security tools
    AI agent analyzes the alert to determine type and severity
    System searches Confluence for relevant SOPs based on alert classification
    Create a case record with alert details and identified SOP
    Part 2: Remediation and Documentation
    Second AI agent reviews the case and SOP instructions
    AI agent orchestrates remediation actions across appropriate security tools
    All actions are documented in the case history
    Slack notification is sent to the on-call team with alert details and actions taken
    Configuring the workflow – step-by-step guide
    1. Log into Tines or create a new account.
    2. Navigate to the pre-built workflow in the library. Select import.
    3. Set up your credentials
    You’ll need credentials for all the tools used in this workflow. You can add or remove whatever tools you wish to suit your environment.
    Confluence
    CrowdStrike
    AbuseIPDB
    EmailRep
    Okta
    Slack
    Tavily
    URLScan.io
    VirusTotal
    From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the credential guides at explained.tines.com if you need help.
    4. Configure your actions.
    Set your environment variables. In this particular workflow, that specifically requires setting the Slack channel for notifications (hardcoded to #alerts by default, but can be adjusted in the Slack action).
    5. Customize the AI prompts
    The workflow includes two key AI agents:
    Alert Analysis Agent: Customize the prompt to help identify alert types
    Remediation Agent: Customize the prompt to guide remediation actions
    6. Test the workflow.
    Create a test alert to verify:
    Alert is properly classified
    Correct SOP is retrieved from Confluence
    Case is created with appropriate details
    Remediation steps are executed
    Slack notification is sent
    7. Publish and operationalize
    Once tested, publish the workflow and integrate with your security tools to begin receiving live alerts.
    If you’d like to test this workflow, you can sign up for a free Tines account.

    You Might Also Like