Full Report
Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform’s Community Edition. A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at
Analysis Summary
# Tool/Technique: Malware Alert Triage Automation Workflow
## Overview
A pre-built workflow distributed via the Tines library designed to automate the response, triage, and escalation process for security alerts, particularly those originating from malware detections in CrowdStrike. Its primary purpose is to reduce manual effort, decrease alert noise, and accelerate response times by automating communication and ticket creation.
## Technical Details
- Type: Framework/Workflow (Automation)
- Platform: Cloud/Server-based workflow orchestration (Tines) interacting with various security and collaboration tools.
- Capabilities: Automated detection monitoring, device owner identification, ticket creation (GitHub), notification (Slack), and critical escalation (PagerDuty).
- First Seen: Mentioned in an article dated July 09, 2025.
## MITRE ATT&CK Mapping
This workflow primarily focuses on defensive actions and operational efficiency, mapping to defensive tactics:
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (N/A - Workflow is defensive)
- **TA0004 - Privilege Escalation** (N/A - Workflow is defensive)
- **TA0003 - Persistence** (N/A - Workflow is defensive)
- **TA0002 - Execution** (N/A - Workflow is defensive)
- **TA0011 - Command and Control** (N/A - Workflow is defensive)
*Note: The analyzed content describes a **defensive** automation workflow, designed to manage alerts generated by malware (T1070, T1059, etc.). It directly maps to **Automation** (T1591, T1484 for defensive automation), though a direct public technique mapping might focus on the steps taken to manage the alert itself.*
## Functionality
### Core Capabilities
- **Detection Ingestion:** Receives new security alerts from CrowdStrike.
- **Asset Enrichment:** Looks up device details and identifies the device owner via Oomnitza.
- **Ticket Creation:** Automatically creates a ticket/issue in GitHub corresponding to the alert.
- **Initial Notification:** Sends an initial message via Slack to document the alert.
- **Triage and Escalation Logic:** Applies severity mapping (e.g., CrowdStrike severity to GitHub priority) to determine the required action.
### Advanced Features
- **Owner Interaction Loop:** If the alert is low priority, it prompts the device owner via Slack for confirmation or escalation.
- **Context Enrichment:** Enriches the GitHub issue based on the user's response from Slack.
- **Critical Escalation:** Automatically creates a PagerDuty Event to notify on-call analysts for high-priority or user-escalated issues.
## Indicators of Compromise
(This workflow deals with the *alerts* produced by threats, not the threat itself. Therefore, no direct IoCs for malware are provided. The indicators focus on the integration endpoints required to run the workflow.)
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Requires configuration access to the following services (Defanged):
- `api.crowdstrike.com` (or similar endpoint)
- `api.github.com`
- `api.pagerduty.com`
- Slack Webhooks/API endpoints.
- Behavioral Indicators: Automated creation of issues in GitHub; automated event creation in PagerDuty triggered by CrowdStrike webhooks.
## Associated Threat Actors
- Security Operations Teams and practitioners leveraging the Tines platform for security automation. (No malicious threat actors are associated with this defensive tool.)
## Detection Methods
This section focuses on detecting configurations or misuse of the *tools* involved, rather than the workflow itself acting maliciously.
- Signature-based detection: Signature checks on the Tines workflow definition files (if available for inspection).
- Behavioral detection: Monitoring for unusual patterns of ticketing volume, automated PagerDuty escalations unrelated to known incident processes, or unauthorized setup of API keys for integrated tools.
- YARA rules: N/A (Not applicable to workflow configuration).
## Mitigation Strategies
- **Principle of Least Privilege:** Ensure the API keys (credentials) configured in Tines for CrowdStrike, GitHub, Oomnitza, PagerDuty, and Slack only have the minimum necessary permissions to execute the required automation steps.
- **Audit and Review:** Regularly review the Tines library imports and configuration settings, especially environment variables like severity mapping and channel webhooks.
- **Tool Security:** Ensure all integrated platforms (CrowdStrike, PagerDuty, etc.) are appropriately secured and monitored for API key usage.
## Related Tools/Techniques
- Tines (Workflow Orchestration Platform)
- CrowdStrike (EDR/Alert Source)
- Oomnitza (Asset Management Integration)
- GitHub (Ticketing/Issue Tracking)
- PagerDuty (Incident Management/On-call alerting)
- Slack (Communication/Workflow Interaction)