Announcing the Tines Storyboard

November 14, 2019 in Announcements, Blog

Continuing our Autumn 2019 feature spotlight, we’re excited to reveal what we consider to be the most significant update to the Tines security automation platform yet: the storyboard.

Since our first release, a core feature of Tines has been the automatically generated diagrams, which visually represented how agents in an automation story were connected. Before the storyboard, a typical Tines diagram looked something like this.

The diagram was effective, however, it had a number of issues opportunities for improvement:

  • It was not interactive
  • Building stories meant flipping between an agent config and the diagram
  • Viewing an agent’s config meant leaving the diagram view
  • It was hard to tell agent types apart
  • You couldn’t customize the layout
  • The badges on agents showing counts of emitted events required a page refresh for updates

The Tines storyboard

With the Tines Autumn 2019 release, the storyboard replaces the diagram. It takes the best parts and adds many more capabilities.

The storyboard makes building automation stories easier and faster – up to five times faster according to our benchmarks.

The new Tines storyboard

Creating new agents

With the storyboard, we can drag agents of any type from the library and drop them onto the storyboard.

Defining sources and receivers

Previously, defining an agent’s sources and receivers, meant editing the agent’s options and choosing the source or receiver from a list. However, with the storyboard, it’s as simple as dragging a string from the source agent to the receiver.

Using templates

From the library panel on the left hand side of the storyboard, we can search for agent templates, both public and private, and drag them onto the storyboard.

Using templates with the Tines storyboard

Storyboard agent properties

The right hand side of the storyboard contains the agent properties panel. When an agent is selected, the properties panel will display it’s common config and an editable options block.

Tines storyboard properties panel

To hear more about the storyboard and how it’s making it easier for security teams to automate their manual tasks, contact us or start your own free trial.

Introducing ‘Send to Story’

November 13, 2019 in Announcements, Blog

Teams regularly need to perform a task or a set of tasks in multiple different automation stories. For example, a threat intelligence story and a phishing response story may use the same procedure to analyse a URL; similarly a user de-provision story and a vulnerability management story may require you to find and then relate tickets in Jira based on a search term. Tines can now help you solve this problem once and for all!

Continuing our deep-dive into new features included in the Tines Autumn 2019 release, we’re proud to detail information about our latest feature ‘Send to Story‘.

Rather than creating the same set of agents in multiple stories (thus violating the DRY-principle), send to story allows users create “sub-stories” to which events can be sent from other stories. When the sub-story receives an event, it will perform its action and when finished, emit an event from the sending agent.

Sub-stories

Sub-stories work the exact same as normal Tines stories. The only difference being that a sub-story has an Entry agent and an Exit agent. The entry agent must be a webhook type agent. The exit agent must be a message-only mode event transformation agent.

Enabling a story for send to story (creating a sub-story)

From a storyboard, when no agents are selected, in the properties panel there is a checkbox to enable a story for send to story. When this checkbox is clicked, you’ll be asked to specify entry and exit agents. A sub-story can only have one entry and one exit agent.

Enable sub-story from storyboard
Enable sub-story from storyboard
Configure send to story
Configure send to story

Entry agent

When a Send to Story agent sends an event to a sub-story, the entry agent will emit an event to its receiver agents. Entry agents must be of type Webhook.

Exit Agent

The Exit agent is the last agent in a sub-story and must be a message-only mode event transformation agent. The content specified in the Exit agent will be emitted by the agent that originally sent the event to the sub-story.

Sending to a Sub-Story

When you need to send data to a sub-story, you should use a Send to Story Agent with the story widget. For example say we have a sub-story called Substory we would send events to this sub-story with a Send to Story Agent:

You can create a new Send to Story agent by dragging an Empty agent from the agent library panel.

The entry agent in Substory will then emit an event similar to the below:

When this event has run down the story, the Exit agent will emit an event, and the calling Send to Story agent will also emit an event that matches the exit agent’s configuration.

For example, let’s say the HTTP Request Agent above was named “Analyse URL” and we have the following exit agent defined in Substory:

When the sub-story is complete Analyse URL will emit an event similar to the below:

Demo Story

To illustrate this further, you can download a sample story, ‘analyze URL in urlscan’ here.

(Note, to import and run this story you’ll need to create a credential,  urlscan_io, using an API Key from urlscan.io.)

This story is designed to submit URLs to urlscan for analysis. It will then wait for 30 seconds while urlscan processes the results, and, when complete, return the verdict.

This analyze URL in urlscan process now be can now be called from any other Tines story to analyze urls using a Send to Story Agent. You can also run the agent from within the Sub-Story itself and hardcode a URL to analyze. This way you can just click “Run” and shortly after Tines will return with the results of the URL Analysis.

Send to Story Ideas

Other repeatable processes our customers have automated include:

  • Analyze an IP Address, Domain or Email Address
  • Search a SIEM for visits to a Domain
  • Lock a User’s Account
  • Update a JIRA Ticket
  • Analyze a Suspicious File in a Sandbox
  • Find and Relate Tickets in a Case Management System
  • Find and Send a User an Instant Message

To learn more about how “Send to Story” or any of our features can help your automation journey, book a demo, start a free trial, or you can contact us here or by emailing hello@tines.io. 

Introducing ‘Implode’

November 12, 2019 in Announcements, Blog

Continuing our deep-dive into new features included in the Tines Autumn 2019 release, we’re proud to detail information about our latest feature ‘Implode’.

If you asked us how to analyze all urls and attachments from an email as one, how to process requests in batches, or how best to process time-intensive tasks in parallel then this feature is for you! Does this email contain a bad link or attachment? are any of these IPs malicious? Are any of these users VIPs? Have all these vulnerabilities been patched? Have we removed all accounts for this user? With “Implode” you can now collapse previously exploded arrays, after processing and analyzing all elements, allowing you to make complex decisions more easily.

In this blog will explore how to use the new ‘Implode’ feature to analyze multiple elements from a single event. We’ll also examine how to process tasks in parallel and only emit an event when all paths finish processing.

Exploding Arrays

A popular feature in Tines is the “Explode” mode of the Event Transformation Agent which “explodes” arrays into individual elements. Tines can then perform actions on each element of the array. Common use cases for exploding arrays include extracting, exploding and then analyzing URLs in an email; processing an array of users to onboard/offboard; exploding antivirus alerts or vulnerability scan alerts to analyze each alert individually etc.

The new Tines “Implode” feature is the opposite of Explode. Implode allows users take a collection of events that have been “exploded” and collapse them back together. For example – when Tines has completed analyzing every URL in an email, Tines can implode the analysis and check if all, any, or none are malicious; Tines can process all offboarding requests in a batch and return a status when all users have been offboarded successfully; Tines can analyze all results related to an individual endpoint before closing a ticket.

Correlation IDs

In order to track and then implode events, Tines generates a guid every time an array explodes, along with an index number and size parameter for the exploded array. This guid acts as a unique correlation ID to implode events related to same source event. Let’s illustrate this with an example.

Apple Suspicious Websites Example

a simple story illustrating implode and explode

To demonstrate how to Implode an Exploded array we’ll create an example that pulls Apple branded suspicious websites from urlscan. These websites will be analyzed in urlscan, and then Tines will Implode the analysis. Tines can then generate a result on whether any, all or none of the scans are malicious.

(Note, to import and run this story you’ll need to create a credential, urlscan_io, using an API Key from urlscan.io.)

The first agent simply retrieves a list of scans from the last 24 hours using a potentially malicious md5 hash. Urlscan returns an array of scan objects, which the next agent, ‘explode scans’ explodes into multiple ‘individual_scan’ events. You can see in an example event, outputted below, that each exploded scan now includes a ‘guid’, ‘index’ and ‘size’.

We can now use another agent in Tines to retrieve the analysis for every individual scan in the array. Each result retrieved has a flag for whether the scan is classified malicious: ‘true’ or ‘false’.

Once we retrieve the results of each individual scan, we can implode the events to see if any, all, or none of these scans are malicious.

Implode Mode

To implode, we simply use another event transformation agent, this time in ‘Implode’ mode. The guid path and size path are simply paths to the values from the explode_scans agent:

implode mode of an event transformation agent

When an event transformation agent in Implode mode receives a single event, Tines will store the “size_path” value. Tines waits until it receives the relevant number of events before emitting all events in a single array. In the picture above the array ‘size’ is ‘4’, so Tines will wait until it receives 4 separate events, then implode them and emit them all in one event. The ‘implode events’ agent will emit an array like below. 

an imploded array

“Any”, “All” or “None”

We can now create a “For Loop” to loop through this array to see if all, any, none of the scans are classified as malicious. The end result will look like this:

all any or none event emitted by implode mode

You can download this example story here.

Parallel Paths

In addition to imploding arrays, the ‘Implode’ agent can also “implode” events that have been sent down two or more parallel paths (aka Tines) at the same time.
By generating a GUID manually and sending events down two paths in Tines, time-critical or time-intensive tasks can be performed in parallel without waiting for one to complete for the other to start. Using ‘Implode’ Tines will release an event only when all tasks are completed, for example:

  • Analyze email Attachments and URLs from a suspicious email at the same time
  • Offboard users in multiple different systems at the same time and return a result when the user is successfully offboarded in all systems
  • Prompt two different users or teams for approval to take an action
  • Analyze alerts in multiple different tools at the same time

Dual Approval Example

To illustrate a Story where an event is sent down parallel paths, let’s imagine a situation where the approval of both a user and manager is required to process a request. To approve or deny the request, we’ll send them both an email. We’ll only continue the process when both have clicked a prompt with their response.

parralel paths imploding

We’ll use an external service to generate the GUID so we can kick off the story easily. When you import this story in Tines, click “Run” to send an example email to a manager and user. You should also edit the “Send Prompt to User” and “Send Prompt to Manager” recipients first.

email to manager with prompts

These emails each contain two prompt links generated by a “Prompt” widget. When a user clicks one of these links, Tines releases an event which will be processed by a Trigger agent. The ‘deduplicate events’ agent removes duplicate replies so the manager or user can’t click twice and trigger an implode event.

In this example we want the ‘implode events’ agent to wait until a prompt response is received from both the manager and the user. Only when the manager and user have both replied should an event be emitted.

Implode Mode, Part Deux

The implode agent configuration therefore looks slightly different to reflect that we are waiting for a static number of events, 2 (i.e. the user’s reply and the manager’s reply), rather than a dynamic number in the example above (the number of elements in the exploded array). It is now hardcoded as a value ‘2’. If we needed three approvals (e.g. the User, their manager, and IT) we would hardcode this value to ‘3’.

Once the “Implode Events” agent emits an array, Tines can use the same “Any”, “All” or “None” agent configuration to decide whether to grant the permissions to the user. You can download this story here.

To learn more about how Implode or any of our features can help your automation journey, book a demo, start a free trial, or you can contact us here or by emailing hello@tines.io. 

Introducing the Tines Admin API

November 11, 2019 in Announcements, Blog

Starting our deep-dive into new features included in the Tines Autumn 2019 release, we’re proud to announce the Admin API. In this post we’ll explore how the Admin API can be used to manage users, jobs and private templates.

Getting an API key

Like all Tines APIs, an API key is required to interact with the Admin API. A new API key can be generated from inside a user’s profile, however, to limit misuse only tenant admins can interact with the admin API.

Tines Admin API Postman collection

Postman is a powerful API client that makes testing and experimenting with APIs easy (we previously released a VirusTotal API Postman collection). Also, we also provide a Tines API Postman collection available on Github.

Download the v2 collection file from here and import it into Postman. The Tines collection contains examples for all admin actions.

Users

Tines admins can use the User Admin APIs to programmatically manage users within their tenant. New user admin APIs includes endpoints for the following:

  • List users
  • Get a user
  • Delete a user
  • Create a user
  • Update a user
  • Get user signin activity
  • Resend a user invitation

Job Management

With the job management APIs, Tines admins can now perform common maintenance tasks such as monitoring the size of queues and deleting a malfunctioning agent’s retry jobs more easily. New job management admin APIs include endpoints for the following:

  • Delete all an agent’s retry jobs
  • List queued jobs
  • Delete all an agent’s queued jobs
  • Delete all queued jobs
  • List dead jobs
  • Delete all dead jobs
  • List retry jobs
  • Delete all retry jobs
  • Delete all an agent’s dead jobs

Private Templates

Private templates allow Tines admins build agents that can be used as the basis for other agents throughout a tenant. While having programmatic access to manage private templates makes it trivial to automate the creation of agent templates for private APIs built by your company. The new admin API for private templates includes endpoints for the following:

  • List private templates
  • Get a private template
  • Create a private template
  • Update a private template
  • Delete a private template

Further information

Up Next: How to Implode Events in Tines

Additional information on the Tines Admin APIs are available in the Tines Docs site: https://docs.tines.io/tines_api.html. If you’d like to know more about using the Tines API or any of our other features can help your automation journey, you can book a demo, start a free trial, or you can contact us here or by emailing hello@tines.io. 

Chatbots for Security and IT Teams – Part 3: Creating A Slack Chatbot

August 19, 2019 in Blog

In Part 1 and Part 2 of our Chatbots for Security and IT Teams blog series we examined how to build Chatbots for Microsoft Teams. While Microsoft Teams has now overtaken Slack in terms of popularity, Slack retains the hearts and minds of many, and healthy competition will no doubt result in better features for both. This blog will examine how to create a Chatbot in Slack to improve communication and collaboration within your team.

This process of collaborating within a chat tool is commonly called “chatops” – “a collaboration model that connects people, tools, process, and automation into a transparent workflow” according to Atlassian.

In order for ChatOps to be successful it requires both the ability to kick-off automated actions from within the chat application, and for an automation solution to send alerts and data to the chat program both proactively and reactively.

In this blog, we will examine how to send basic notifications in Slack to a single channel, then we’ll examine how to interact with our Chatbot from within Slack, and lastly we’ll learn how to send proactive notifications to individual Slack users.

As mentioned in Part 1, the idea of Chatbots for security and IT teams is not new – security teams in Slack, Netflix and Dropbox, among others, have created open source Slack Chatbots for alerting purposes and for indicator enrichment. Creating your own Chatbot which fits your own internal processes allows you to be more flexible in your tool and process choice, and keeps your information private, however you should check out their blogs for useful ideas!

The first step to setting up your Chatbot in Slack is to create an OAuth application here – https://api.slack.com/apps. You’ll need to be an admin on your workspace, or be working with an admin, in order to do this. When you follow the link, you should be presented with a page like this.

Creating a Chatbot within Slack

Create an application called “Tines Chatbot” (or whatever name you choose). When you create your Slack App you have to choose your workspace. If this is your first time setting up an application, it may make sense to test in a demo or development workspace.

On the next page you’ll be presented with several options on what features and functions you’d like for your application:

  • Incoming Webhooks – post messages from Tines directly to a channel (e.g. the Incident Response channel). Use this to send Prompt messages to a specific channel where the channel details will not change e.g.
    • Post information details of new high priority incidents into an InfoSec channel or IT channel
    • Post alerts for incidents close to SLA limits
    • Inform teams of new servers deployed or new vulnerabilities found
  • Interactive Components – creates shortcut to specific actions with right-click actions on messages
  • Slash Commands – allow a user to interact with Tines through specific, user-defined commands e.g.
    • /searchdomain – search for traffic to a domain in logs
    • /lookupdomain – lookup a domain’s reputation
    • /lookupuser – find user profile information in active director
    • /lockaccount – lock a user’s account
    • /quarantinedevice – quarantine a device proactively
    • /escalateticket – escalate a ticket
    • /blockdomain – block a domain on the firewall
  • Bots – allow two way text communication with a user (i.e. not just clicking links to prompts)

To quickly demonstrate how to get an alert from Tines into Slack, let’s select “Incoming Webhooks”

Incoming Webhooks 

The most simple interaction with Slack are notifications sent to a specific channel via a Slack webhook. Let’s click on “Incoming Webhooks” in the screen above. If you’ve move past this screen, click “incoming webhooks” in the features menu. Then click “On” in the top right hand corner

Now click “Add New Webhook to Workspace” at the bottom of the page

Now choose a channel to post these notifcations to. I’m going to select my personal channel, @thomas. Now click “Install”

Slack will return a webhook URL. Let’s send this webhook URL a message from within Tines.

In your Tines tenant create a new story called “Slack Chatbot”. In that Story create a New Agent using the template “Post Message to a Slack Channel”

  • Give it the name “Post Message to Webhook”
  • Enter the Webhook URL you just created in the URL parameter
  • Click Save
  • Now click “Run Agent”

You should receive an alert within your chosen slack channel:

Congratulations! You’ve just sent your first message to Slack!

Next, let’s make the App look slightly more professional – choose a logo for your Chatbot in the “Basic Information” settings

Click “Save Changes” at the bottom of the page. The alert should now look a little much better:

You can use this alert to send messages to an IT or Incident Channel every time a new alert is created, for example. If you have alerts specific to an individual team you can simply install a webhook for their team channel to alert them for specific actions. You can read more about formatting Slack messages here.

Slash Commands

There are obviously significant limitations to a simple webhook – the most obvious is there is no way to communicate back to your Tines Chatbot. Fortunately this is relatively easy to do in Slack using “Slash Commands“. You can send “Slash Commands” to proactively kick off automation stories within Tines.

In this example, we’ll use the command /analyzedomain to kick-off the analysis of a domain within Tines from within any Slack Channel in your workspace.

First, let’s setup a new webhook within our Tines Story. Let’s call it “Receive Commands”

Then, in Slack, let’s go to the Slash Commands section of your application. You can choose this section in the “Features” menu on the left hand side of your page

Then click “Create New Command”

Enter the command “analyzedomain”, and your webhook URL in the “Request URL” section. Add a short description, and a usage hint. You can leave everything else as it is.

Now click “Save

Note: When you change specific permissions in slack you should get a notification saying the scopes have changed – you’ll need to “reinstall the app”

Now, let’s go to a test channel within our Workspace – you can choose whichever one you want.

Start typing “/an…” and the Slash Command should pop up

Type “/analyzedomain tines.io”. You should get the response: 

Let’s look at the data received in Tines – we can see that we have the channel id, channel name, the name of the user who sent the request, and the command, along with a few other details:

We can make this cleaner using the “response” configuration option within the Tines webhook agent. You can enter text like:

(note, the json path is simply the underlying key, excluding the agent name).

Now when you submit a command you’ll get a more contextual response:

We can now use Tines to perform an analysis of the domains submitted. Before we do, however, let’s get our Slack Credential so we can post a message back to Slack using the Tines Chatbot.

Creating a Slack Credential

The easiest method to posting a message to Slack is to use the OAuth token found in the OAuth & Permissions section. Copy this access token to create a credential called “slack_chatbot” in Tines.

In the same section, you will also need to add in the scopes “chat:write:bot” and “chat:write:user”. You will likely need to install the application again.

Now that we have our Slack configuration created we can build an Automation Story using the following agents in Tines:

  1. A Webhook agent, with the title “receive commands”, as created above
  2. A Trigger agent – trigger on the the Slash Command for the value /analyzedomain

3. An Event Transformation Agent to extract out all the domains sent for analysis

4. Another Event Transformation Agent to explode all the domains found

5. Three HTTP Request Agents to search the domain in Virustotal, URLHaus and Get the Domain Age in ipty.de.
Note, you will need to have added a Virustotal credential containing your Virustotal API Key for this agent to run successfully.

6. An Event Transformation Agent to transform these results into a cleaner format. We can use “If Widget” for this:

7. Lastly, another HTTP Request Agent to respond to the user

We can respond to the user using the channel_id received in the webhook event, and include the slack_chatbot credential we created earlier.

Rich Notifications

Earlier this year, Slack debuted the ability to build “Blocks”. They include templates of how you can create rich notifications like the below, and a “Block Builder” where you can build out your own notification templates.

Using these rich notifications you can create cleaner notifications to send to your users using the Tines Chatbot. These can also include prompts for a user to take additional action. The example included in our story is above. 

If you want you can take the “whitelist” and “block” prompts and create trigger agents to take actions based on these prompts. The completed story looks like the below

Proactive Slack Chatbot Notifications

As we noted in Part 2, a Chatbot is useful not just for responding to user requests, but it’s useful for sending messages to users within Slack proactively. There are many reasons why you might want to proactively contact a user, for example:

  • Crowdsourcing suspicious activity with users e.g. logins from unusual IPs
  • Informing a security team of a high priority incident, or an IT team of a new ticket or request
  • Confirming validity of sudo commands
  • Validating change to user permissions
  • Confirming installation of unusual software
  • Processing approval permissions from managers and service owners for access requests
  • Prompting users to take action before escalation of a ticket; to manage evidence etc.

Searching for a User Within Slack

In order to send a message to a user proactively it is necessary to find their Channel ID using their email address. You can search for a Slack user using their email address with the following agent template in Tines:

Note, to do this you will need to add the users:read and users:read.email scopes to your application. You can do this in the OAuth & Permissions section of your application. 

Once successful you’ll receive a result similar to the below in Tines:

You can now send a message to the user directly in their Private Channel using a message like this:

Congratulations! You’ve now created a Chatbot that can proactively alert users in dozens of Automation Stories. 

You can download the complete story for all the above Slack actions here.

To learn more about how Chatbots work or about other ways Tines can help your automation journey, book a demo, start a free trial, or contact us hello@tines.io. 

Updated – Microsoft Graph Security Automation

August 2, 2019 in Blog

If your organisation leverages Office 365, Microsoft Graph provides programmatic access to a wealth of data which can be used to better inform decision making during threat detection and response. In this post, we explore how to enable Tines for Microsoft Graph security automation. So that you can use information such as Outlook emails, organisational structure, advanced threat analytics and more in your security automation program.

Step 1 – Getting an app ID and secret for use in Microsoft Graph

Authenticating for Microsoft Graph security automation

We will authenticate to Microsoft Graph using an app ID and secret. To get these, we need to register a new application in the Microsoft Azure App Registrations Portal. Sign in with your Microsoft credentials. Note, you will need to be working with an administrator of your Microsoft account.

Click “New Registration”

Enter an application name and select “Accounts in this organizational directory only (yourorganization.com)”.

Then enter your callback URL. You can find your callback url in your Tines tenant by creating a new OAuth 2.0 credential. We’ll return to this page in Tines shortly.

Now click “Register”

You should be redirected to a page like this:

Now create a new application secret using the “Certificates and Secrets” tab.

Take note of the generated secret (you only see it once) and the application id, we will need these when creating a Tines credential later.

Step 2 – Selecting Scopes

Finally, we need to define the permissions this application should have, this is also referred to as the OAuth2.0 scopes. Permissions include everything from creating tasks to sending emails. A full list of permissions is available in the Microsoft Graph docs.

It is best security practice to provide the application with the minimum amount of permissions necessary to perform its required task(s).

In our example, we want to read Outlook emails using Tines, so we’ll include the Mail.read permission. To view and edit permissions go to the API Permissions Tab, click “Add a permission” select “Microsoft Graph” and then “Delegated Permissions”. Choose the relevant permissions, including “offline_access” and click “Add Permissions”

You may need to click “Grant Consent” as an administrator for some or all permissions.

Step 3 – Adding Details to a Tines credential

Next, we now need to add these details to a the Tines credential so they correspond with the application we’ve just registered. We will use this credential in our agent’s to access Microsoft Graph security data. From your Tines tenant, choose “Credentials” and “New Credential”. From the “Type” dropdown, choose OAuth2.0. Give your credential a name, I used “msgraph”, but you can use whatever makes sense in your situation.

Under “client id” and “client secret” in the “Create credential” page, enter the “application id” and “application secret” from the application you just registered in Step 1.

Copy the Client/Application ID and return to the New Credential page and copy the Secret from the Client Secrets you just created.

Under scope, we’ll enter a space separated list of the permissions we used when registering the Graph application in Step 2. That is: Mail.read and User.read. Additionally, we will include the offline_access scope. This scope will allow Tines request fresh access tokens as necessary.

From the “Grant type” dropdown, choose “authorization_code”.

Under “Oauth url” and “Oauth token url”, we need to tell Tines where to request authorization and access tokens.

You can find these under “Quickstart” > “Endpoints”

In our example we have chosen the v2 endpoints.

Having entered all the required information into the “Create credential” page, it should look similar to the below. You can optionally choose to share the credential.

When you select “Save credential”, Tines will redirect to a Microsoft account consent page, where you will be asked to authorize the application’s access to your account.

After accepting the request, Microsoft will securely redirect you to Tines.

Tines OAuth2 consent flow for Microsoft Graph Security Automation

Credential auth flow

Step 4 – Creating a Tines agent

We now have everything we need to connect Tines and Microsoft Graph. So, we’ll now use a standard Tines HTTP Request Agent to read emails from an Outlook account.

The Graph Explorer is a very useful tool for understanding how to interact with the data in Graph. Using the Graph Explorer, we can read Microsoft Graph security data. In addition, we can see that in order to read Outlook messages, we need to send a GET request to the following URL:

As such, we will create a HTTP Request with the following Options block:

Consequently When this agent runs, Tines will replace the credential widget ({% credential msgraph %}) with a valid access token. The event emitted by this agent will contain emails from my Outlook inbox. For example:

Tines - Event generated by Microsoft Graph Security Automation

Summary

In conclusion, Microsoft Graph exposes an extraordinarily rich repository of data and capabilities. By using the Tines advanced security automation platform to automate interaction with Graph, security analysts can automate their Microsoft Graph security tasks, and perform more thorough threat detection and response. Of course, all while simultaneously freeing up analyst resources and allowing them refocus on higher-impact activities.

References

Microsoft Graph quickstart guide: https://developer.microsoft.com/en-us/graph/quick-start

Chatbots for Security and IT Teams – Part 2: Microsoft Teams

July 30, 2019 in Blog

In 2019 Security and IT Teams are finding it harder to source and retain talent which is why many teams today are embracing remote workers and distributed teams. Communicating within and between remote teams is challenging, and many organizations are using communication tools like Slack and Microsoft Teams, and with them, Chatbots, to improve communication and collaboration.

Chatbots Blog Series

In Part 1 of the series we examined how to set up a chatbot within Microsoft Teams. This Chatbot received commands from users from within Teams and replied with details collected using Tines.

This tutorial will delve deeper into Microsoft Teams chatbots and examine how to send rich notifications using Cards. It will also explain how to use the Microsoft Graph API and this Chatbot to proactively find and contact users within Microsoft Teams. You can use these proactive notifications to crowdsource and confirm frequent incidents of suspicious activity from users in your organization.

In part three we’ll examine setting up Chatbots within Slack which can both take commands and crowdsource information from users.

Microsoft Teams Advanced Chatbots

This tutorial will build upon part 1 where we set up a Chatbot within Microsoft Teams. If you haven’t followed the first tutorial, click here and follow the steps to create a working Chatbot within Tines.

Sending Cards within Microsoft Teams

In our last tutorial we learned how to send replies to users who sent messages to our chatbot. A quick way to make these notifications look more professional is to send cards. Adaptive Cards are a way for developers to exchange card content in a common and consistent way in bot communications.

Cards can come in several formats. One of the most common formats is Hero Cards which contain a large image, one or more buttons, and a small amount of text:

Another common format is Thumbnail Cards. Thumbnail Cards typically contain a single, small thumbnail image, some short text, and one or more buttons.

You can make cards as complicated or rich as you deem necessary, for example using a card like below. These cards are all available as templates within Tines.

Sending Messages Proactively to Users

The next challenge is to send messages proactively to users within Microsoft Teams. There are many reasons why you might want to proactively contact a user, for example:

  • Confirming suspicious activity with a user e.g. a login from an unusual IP
  • Informing a security team of a high priority incident, or an IT team of a new ticket or request
  • Confirming validity of sudo commands
  • Validating change to user permissions
  • Confirming installation of unrecognized software
  • Processing approval permissions from managers and service owners for access requests
  • Prompting users to take action before escalation of a ticket; to manage evidence etc.

In order to send a proactive message to a user in Microsoft Teams you need two pieces of information – the tenant ID of the Microsoft Teams tenant; and the Microsoft Teams Member ID of the individual user.

The tenant ID is easy to find as you used it in part 1 to create the Tines Bot. It is also returned in any communication sent to or by the bot. It can also be found manually in the link “Get link to team” within Microsoft Teams.

The Member ID is the the “id” field in the responses when retrieving details about a Team using the Teams API. It is not to be confused with the “objectId” which is the userId used in Microsoft Graph api calls.

All conversations initiated by a user with a Bot include the Member ID of the user. This is how it’s possible to reply to a user when they proactively send a message to the Tines Chatbot.

Finding a User ID Proactively

Unfortunately, however, Microsoft Teams does not allow you to search for a user using an email address and retrieve this Member ID. According to Microsoft “This is intentional to prevent spambots within the bot framework”.

Fortunately, there are ways around this limitation. The most simple way is to fetch the team roster. If your organization has a team that all members of your organization are automatically members of then you can return all members of that team using the below command made by the Tines Bot.

You will need the teams “teamId” or “internalId” which you can find within the Microsoft Teams UI. It is the parameter with the format guid@thread.MStool in the URL below. https://teams.microsoft.com/l/team/{{internalID}}/conversations/… The Team ID is also sent in all communications to the Bot from the Team Chat within the Teams UI.

Using the data returned from the team roster, you can then filter on the user whose email address matches the email address of the user you are searching for.

new proactive notification bot

An alternative solution is to use an external tool like DynamoDB to store the team roster details and, using Tines, search the table for the user id of the individual you want to contact.

Finding a Member ID using only an Email Address

For the purpose of this blog, however, we’ll examine a worst case scenario – one where you neither have a team which all employees are members, nor do you want to use a lookup table to store this information. In this case, you can perform a following series of searches in Microsoft Graph to retrieve the user id.

Finding a User and Team in Microsoft Graph

First you can search for the user’s graph ID using the email address of the user. We’re taking the “user_email” value from a “receive_events” webhook.

Using the id returned you can search for the teams they have joined

Then you can retrieve details for one of those teams. The data returned will include the “internal ID” which acts as The Microsoft Teams ID for that team.

Fetching the Team Roster in Microsoft Teams

You can then use your Chatbot to get team roster as above. This will return the members of that Team and their id which can be used to initiate a conversation with them

As this team will likely have more than one member, you will have to filter on the member whose email address matches the user you wish to contact

You can then begin a conversation with that user, and send them cards like the below.

The last step is to send a notification to the user – this can be done very easily using templates from any of the cards above. You can include a prompt which will automatically take the next step – e.g. escalating to on call, closing an incident or locking an account. The prompt can also force a second factor confirmation through Tines using a tool like DUO or Okta.

The complete Proactive Chatbots Story looks like the above, and can be downloaded from here.

The story will need to be customized for your environment. It can be edited to include just details from below the “get bearer token from ms” agent if the team id is known, or from below the “create conversation with user” if the user id is known.

Congratulations – you’ve now setup a chatbot in Microsoft Teams that can send complex alerts to any user in your organization!


In Part 3 we’ll examine how to create a Chatbot to send similar alerts in Slack.

To learn more about how Chatbots work or about other ways Tines can help your automation journey, book a demo, start a free trial, or contact us hello@tines.io. 

Chatbots for Security and IT Teams – Part 1: Microsoft Teams

July 30, 2019 in Blog

In 2019 Security and IT organizations are finding it harder to source and retain talent which is why many companies are embracing remote workers and distributed teams. Communicating within and between remote teams is challenging, and many organizations are using communication tools like Slack and Microsoft Teams, and with them, Chatbots, to improve communication and collaboration.

Often during security incident security teams create virtual rooms are to discuss the incident, investigate IOCs and take actions. Frequently multiple teams from different disciplines are invited. On IT and Product Development teams, virtual rooms are often created on a per-project basis to discuss project specific initiatives and challenges. 

This process of collaborating within a chat tool is commonly called “chatops” – “a collaboration model that connects people, tools, process, and automation into a transparent workflow” according to Atlassian.

ChatOps can be improved significantly using Chatbots – autonomous programs that interact with users within chats. They provide the “automation” part of chatops and allow users take actions from within their chat application. ChatOps and Chatbots allow analysts maintain their focus in one location, and to operate using just one pane of glass – keeping them focused on performing more meaningful and impactful work.

In order for ChatOps to be successful it requires both the ability to kick-off automated actions from within the chat application, and for an automation solution to send alerts and data back to the Chat program either proactively or reactively.

Because most security and IT tools don’t integrate natively with Slack or Microsoft Teams, you can use Tines to connect your tools together by creating a Tines Chatbot. These chatbots can leverage the full power of the Tines Automation platform and send data back to Microsoft Teams or Slack.

The idea of Chatbots for security and IT teams is not new – security teams in Slack, Netflix and Dropbox, among others, have created open source Chatbots for alerting purposes and for indicator enrichment. Creating your own Chatbot which fits your own internal processes allows you to be more flexible in your tool and process choice, and keeps your information private, however you should check out their blogs for useful ideas!

Chatbots Blog Series

This series will examine:

  • Setting up Chatbots within Microsoft Teams which receives commands from users
  • Using this Chatbot to proactively notify and crowdsource information from users within Microsoft Teams
  • Setting up Chatbots within Slack which can both take commands and crowdsource information from users

This blog will look at the steps required to set up both a communication bot which receives questions, and a proactive notification bot, using Tines and Slack and Microsoft Teams. 

At the end of this first tutorial you will have created a bot which can receive a command to analyze a domain from any use on your team, and respond with the Virustotal and URLHaus analysis of that domain.

Microsoft Teams Communication Bot

This first tutorial will examine how to set up Chatbots within Microsoft Teams which receives commands from users and replies. Before we begin, you’ll need to be, or be working with, an admin on your Microsoft account. You can also read the getting started with Bots guide, here.

Creating an application in Microsoft Teams

First, let’s begin by Installing App Studio for Microsoft Teams https://aka.ms/InstallTeamsAppStudio

Select Install. When installation is complete you should get the following notification:

Now click “Open” on setting up a Bot within App Studio.

You can also get to this page by clicking the “more” button ( … ) on the sidebar of teams and selecting App Studio

Give you application a name (e.g. the Security Chatbot) and a GUID and version number. (Note, this is the application ID, not the Bot ID which is used later on.)

Give your application a description:

Then enter Privacy Statement URL, Terms of Use URL, and some branding for your application

Creating a Chatbot for your Application

Now go to the Bots tab on the left hand side of the page:

 Create a Bot and give it the scopes “Personal”, “Team” and “Group Chat”

You should also save the ID of the Tines Chatbot, just above this.

Once you have created your Chatbot, click “Generate new password” and keep this safe! This will be used to retrieve your bearer token later. 

Now let’s go to Tines and create a webhook using the Webhook template. Let’s call it “receive commands”

Copy the webhook URL and enter it in the “Bot Messaging Endpoint” path.

Lastly, let’s add a command to “analyzedomain”

Click “Add Command”

Fill out the details of the command text and help text. Choose the scopes “Personal”, “Team” and “Group Chat”

Now, return to the menu and click “Finish > Test & Distribute”

Then click “Install”

Click “Add for You”, and select the relevant team to add the application for your team.

Then click “Install” again

If you get an error saying “uploading of custom apps is not allowed, then follow the process here. You’ll need to allow sideloading of external apps.

Receiving Data in Tines

Congratulations! You’ve just installed a Tines Chatbot!

Now, within your team chat you should be to call the “Tines Chatbot”

When you “@” the Tines Chatbot you’ll be prompted with the command “analyzedomain” or the command we selected earlier

Let’s go ahead and enter the domain “tines.io” and click enter

This data will now have been sent by Microsoft Teams to Tines. Check your webhook agent to make sure data has been sent and received:

If you do not see any data within Tines, make sure the webhook URL specified in the “Bot Messaging Endpoint” above is correct. You should also check that Microsoft Teams is able to reach that webhook (i.e. that it’s not blocked by your Firewall). If you change the webhook address you will need to re-install the application following the instructions above.

Sending a Reply to Microsoft Teams

To reply, let’s take the password you saved earlier and save it as a credential in Tines:

Now let’s examine more closely the data that Tines receives in the webhook agent

Tines has received the text of the query (analyzedomain galaxy.com). But Tines has also received several other pieces of information we need to reply:

  • The serviceurl is the base URL that Tines must send data back to using a HTTP Request Agent
  • The “from” details tell Tines who to send this reply to
  • The recipient id is the recipient ID (note, not the Bot ID) of the Tines Bot – this is needed to send the reply as the Times Bot

Lastly, Tines has received the channelData – this is important for Part 2 when we enumerate all the members of a channel or team.

Our first step is to take the password and Bot ID we saved earlier and request a Bearer Token from Microsoft which we can use to reply. Use the below template to request this token

We use the bearer token as a credential in the reply.

The reply uses the Service URL, the Conversation ID, and sends the data back to the recipient who sent the message, from the Tines Chatbot.

Chaining These results together we can reply to every message sent by a webhook:

Congratulations! You’ve just sent a reply! You can download this basic story here.

Advanced Replies

Of course, the aim of this story is to analyze the domain in VirusTotal, URLHaus and other services and then reply with the results. In Tines this is pretty easy to do – just use your own tools or templates to perform the analysis and return the details to the requestor. The example below uses VirusTotal and URLHaus. 

The first step of this process is to Trigger on the command being used (in this case, analyzedomain):

We can create separate flows for each command as we expand the functionality of the Tines Chatbot

We then extract into an array all the domains in the text

Tines can then query these domains in virustotal and urlhaus, among others. 

A complete flow will look like the following:

This story will reply with simple results to the user like the following:

You can download this complete story here.

Additional Use Cases

Now that we have a process to receive data from Microsoft Teams and reply, there are near unlimited possibilities of what we can automate within Tines. Other automation steps you can use with the Tines Chatbot include:

  • Enrich Domains, IPs, URLs
  • Retrieve User Profile Information from Workday, MSGraph etc.
  • Escalate Tickets to On Call
  • Create Tickets, Subtickets or Increase Ticket Severity
  • Add Comments to Tickets
  • Block Domains and IP addresses
  • Query Logs
  • Kick Off Vulnerabiltiy Scans and PenTests
  • Isolate Hosts or Lock User Accounts
  • Send Push Notifications to other users
  • Post all updates for an incident into a team room
  • Post all comments from an incident room to an incident ticket
  • Sharing Incident Handover Notes
  • Proactively run any automation story

Next Up: Part 2 – How to Proactively Send Notifications in Microsoft Teams

To learn more about how Chatbots or other ways Tines can help your automation journey, book a demo, start a free trial, or contact us hello@tines.io. 

Tines Summer Release 2019

July 12, 2019 in Blog

On today’s blog we’re delighted to announce details of the latest and greatest Tines features launched in the Tines Summer 2019 release. The Tines Summer Release is jam-packed with new features including:

  • Agent Templates & Private Templates
  • Improved Searching
  • Time-based Deduplication
  • Emit and Tag Duplicate Events
  • Emit and Tag Non-Matching Trigger Events
  • Asynchronous Event Loading

Existing Cloud tenants always stay on the latest release so Tines Cloud customers do not need to take any action. Tines On-Premise and Kubernetes customers can login to the Tines customer portal and download the release and installation instructions now. 

Agent Templates

You asked, we answered! The most exciting figure of the Tines Summer Release 2019 is Agent Templates. Tines now has automation templates for nearly 1,000 security actions commonly performed by security teams for the most popular security products.

Sample templates include:

  • Create A New Issue in Jira
  • Isolate a Host in Carbon Black
  • Search for Hash in VirusTotal
  • Disable a User Account in Microsoft Graph
  • Retrieve Email Headers in Outlook
  • Upload an Attachment to Box
  • Search for Details within Tickets in Service Now 
  • Create a New Alert in The Hive
  • Upload Samples to the Hybrid Analysis Sandbox
  • Scan a DynamoDB Table
  • Retrieve Analysis Results from App.Any.Run

It’s important to note that Tines integrates automatically with any tool in your stack with any API, regardless of the templates that exist. Templates help jump-start automation stories but are just that: a springboard on which you can begin automating all your manual workflows!

To view all available templates now, simply create a new agent within Tines. You will be presented with a list of hundreds of automatically generated templates which can be filtered by vendor, agent type, and privacy level. You can also search on the right hand side for specific terms like “Carbon Black” or “MD5”.

Users can still build agents from scratch using the “Start with a Blank Agent” tab.

Got a suggestion for agent templates that we’re missing? Email hello@tines.io and we’ll add them in right away!

Private Templates

In addition to the thousand public templates that are now available, Tines has also enabled “Private Templates”. If you have a private API that you use internally, or if you have custom fields and configurations for your own tools (like Jira, Splunk, AWS etc.) you can create your own Private Agent Templates within Tines. These templates are viewable to everyone within your company, and can be shared among all your Tines production and test tenants.

Creating Private Templates

To create a Private Template, find an agent that you have saved, and in the Actions Menu click “Create Template”. (Note, only Tines admins are able to create Private Templates).

Fill the appropriate details in the “Create a New Agent Template” page

Your template will then be visible in the “Manage Templates” page in the Admin Tab in your Tines tenant.

In addition, you will be able to choose this template from within the “Create New Agent” templates page.

You can also view all your Private Agent Templates using the Visibility: “Private” filter on the left hand side of the Agent Template search page.

Retry on Status Failure in HTTP Request Agents

When trying to automate manual processes using Tines, custom scripts, or any automation platform, customers often run into a stubmling block: when an action fails or is interrupted (e.g. when sites are down, or when the receiving server detects an error, or is rate limited the script) the entire automation flow fails. Common causes of this are rate limits on the server or a simple network blip. When an error occurs in automation stories or in scripts it can be tough to detect, and in some cases the entire automation flow fails. 

To tackle this problem in Tines you can now add an optional flag to every http request agent called “fail_on_status”. With this flag enabled, if Tines receives a non-2xx http response code when an agent runs it will re-run the agent 40 times with an exponential back-off over a 30 day period, until it receives a 2xx http response code. Now when Jira is down, or when VirusTotal returns a 429 rate limit response code, Tines will auto-rerun the agent with the same incoming event. Your Tines automation story will then continue as soon as the service is back-up. A sample configuration is below

Improved Search

We’re delighted to announce that the Summer Release includes a much improved search interface within Tines. The Search bar in the top right hand corner will now search and return results for Stories, Agents and Credentials. It performs a full text search within agents configurations too, so you can find all agents which reference a particular hostname or use a particular command. Try it out now in your own tenant!

Time Based Deduplication

One of the most frequent causes of fatigue in information security teams is alert overload. That’s why in Tines we have a “deduplication” mode within Event Transformation Agents – to suppress noisy alerts and prevent analysts having to repeat the same work over and over again.

In Tines we recognize that you often need to suppress events for a set period rather than than just ignoring all duplicate events. If an alert fires, you may want to suppress that same alert for another 24 hours, or simply not see it for another 100 events, or ever again. As a result, we have enhanced our deduplication mode in the event transformation agent – you can now deduplicate based on Time Period or based as well as based on a Lookback through previous emitted events.

  • A time-based deduplication analyzes each event that is received for uniqueness, and subsequent matching events will not be emitted until this time period has elapsed. A sample time based deduplication is below.
  • A lookback deduplication will examine the previous X events for uniqueness, regardless of when the events happened. It takes a parameter “lookback” which will be the number of events to store which Tines checks against for uniqueness.

Emit Duplicate and Emit on No Match

Emit Duplicates in Event Transformation Agents

A complementary feature launched along with Time Based Deduplication is an emit_duplicate flag for deduplication events and an emit_no_match for trigger events. 

When the emit_duplicate flag is set to “true”, in deduplication mode, duplicate events are emitted by the Event Transformation Agent. Duplicate events return the value “unique_event”:”false” in the emitted event, non-duplicate events will return the value “true”. Using this flag, users can create more complex stories, e.g. adding details of duplicate events to existing tickets, creating lower priority duplicate alerts, or taking a lower-risk action based on the fact it is a duplicate event. A sample configuration is below.

Emit on No Match in Trigger Agents

Similar to the “Emit Duplicate” flag, the emit_no_match flag is also available within Trigger Agents. Events which do not match the trigger agent’s rules can now be emitted, but will have the field “rule_matched” value set to ‘false’. Events which match the rule will have the “rule_matched” value set to ‘true’. This new feature allows users build and maintain a set of trigger rules within one agent.

A sample configuration for a trigger agent with emit_no_match set to true is below.

Asynchronous Event Loading

The last major feature of the Summer Release is an under-the-hood user experience improvement. When using Tines to automate AWS workflows; collect logs; analyze malware; and other common use-cases, some events in Tines can become extremely large. Previewing these Events within Tines is now much faster thanks to our new Asynchronous Event Loading feature. Tines will now only show the event data that the user wants to see. Expanding the json in the View Events page will then dynamically pull back the relevant data from the Tines database. Asynchronous Event Loading allows users to quickly preview the relevant section of the event, without waiting for the entire event to be downloaded. Each event should now take just fractions of a second to load making for a more seamless user experience.

That’s all for this year’s Summer Release. To get on the beta to test new features as they are being developed, simply talk to your Tines account manager. 

To learn more about how these features can help your automation journey, book a demo, start a free trial, or contact us hello@tines.io. 

Processing and Enriching AWS Security Hub Findings in Tines

July 5, 2019 in Blog

With AWS Security Hub, Amazon have provided a way for AWS customers to “quickly see their entire AWS security and compliance state in one place, and so help to identify specific accounts and resources that require attention.”

Security Hub went GA in July 2019 and although there is debate around the material value the service will provide, specifically in terms of ROI (when it’s enabled, 30+ Config rules are created per account, this can quickly become expensive), the benefit for enterprise security teams of having a centralised portal for Inspector, GuardDuty and CIS benchmark findings is intriguing.

In this post we will explore how to send findings from Security Hub to Tines so they can be enriched, prioritised, deduplicated and ticketed.

How AWS Security Hub Works

When you enable Security Hub, it immediately begins consuming, aggregating, organizing, and prioritizing findings from AWS services, such as Amazon GuardDutyAmazon Inspector, and Amazon Macie, and from AWS partner security products. Security Hub generates its own findings by running continuous, automated compliance checks based on AWS best practices and supported industry standards. It then correlates and consolidates findings across providers to help you to prioritize the most significant findings.

As AWS Security Hub discovers findings, it will automatically send them to CloudWatch Events. As a result of this automated process, it’s simple to trigger notifications to Tines through SNS Topics.

Tines AWS Security Hub Automation Story

Here you will find a Tines automation story which you should download and import into your Tines tenant. The story contains five agents. including a Webhook agent which we’ll use to receive events from Security Hub.

Tines Webhook Agent Receive SNS Notifications

Take a note of the Webhook URL from the Summary tab in the Tines agent view, we’ll need to provide this to AWS. In the above example, the Webhook URL is: https://hq.tines.io/users/1/web_requests/1162/de38b6203ae66ed5ec6b76ba419f7f8e

Using the Tines AWS Security Hub CloudFormation Template

Next you will need to configure AWS Security Hub to send CloudWatch Events to Tines. Although you can do this manually, we also provide a CloudFormation template which does the hard work for you.

Download the template from here and upload it to CloudFormation.

Once you have uploaded the file, click Next and give the stack a name, then provide the following parameters:

EventPatternParameter: { "source": [ "aws.securityhub" ] }

TinesWebhookURL: The Webhook URL taken from the Receive AWS Security Hub Notification.

After selecting Create Stack, CloudFormation will begin creating the stack. When CloudFormation is finished creating the stack, it sends a new SNS Subscription Confirmation Event to Tines (sample below).

AWS Security Hub SNS SubscribeConfirmation Event in Tines

We’ve configured the Confirm subscription HTTP Request Agent to send a GET request to the SubscribeURL defined by SNS. This confirms the SNS subscription so Security Hub so it will now send Findings to Tines.

Receiving AWS Notifications in Tines

You should now have everything needed to begin automating response to Security Hub Findings in Tines. When Security Hub triggers a Finding, it will send a notification event to the Tines Webhook agent. A sample event is shown below:

AWS Security Hub Notification Event in Tines Security Automation Platform

The important information describing the Security Hub finding is in an escaped JSON string, this makes further automation challenging. To parse this string into a “friendlier” format, we use the Liquid Filter json_parse in a message_only mode Event Transformation Agent.

Events emitted by this agent will contain the Finding’s details in a format we can easily use in Tines to further enrich, deduplicate, prioritise and even automatically remediate the Finding.

To learn more about AWS Automation in Tines, or what this might look like in your environment, you can book a demostart a free trial, or contact us hello@tines.io.