Full Report
Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform. Their bi-annual “You Did What with Tines?!” competition highlights some of the most interesting workflows submitted by their
Analysis Summary
# Tool/Technique: CrowdStrike RFM Reporting Automation Workflow (Tines)
## Overview
This document summarizes a workflow designed to automate the tracking and reporting of endpoints in Reduced Functionality Mode (RFM) within the CrowdStrike Falcon environment. The workflow leverages the Tines automation platform, including its AI-driven features, to replace a manual, time-consuming reporting process performed weekly by SecOps teams.
## Technical Details
- Type: Automation Workflow / Procedure
- Platform: CrowdStrike Falcon (targets data retrieval from the console)
- Capabilities: Automated data retrieval, processing, report generation (email with CSV attachment), and workflow orchestration via Tines.
- First Seen: Recent (part of a Tines competition highlighting LLM/AI applications).
## MITRE ATT&CK Mapping
This workflow primarily focuses on automating operational tasks rather than offensive actions. However, the underlying data gathering relates to security visibility:
- **TA0007 - Discovery**
- T1087 - Account Discovery (Related, as it deals with endpoint state visibility)
- T1046 - Network Service Scanning (If the underlying process involved host interrogation, although here it seems API/console driven)
## Functionality
### Core Capabilities
- **Trigger Mechanism:** Initiated by a user submission via a web form (Tines Pages feature).
- **Data Retrieval:** Queries the CrowdStrike Falcon console to filter and retrieve data on hosts currently in RFM for the last week.
- **Reporting:** Generates consistent, actionable email reports detailing RFM occurrences, including a CSV attachment.
- **Time Saving:** Reduces a 30-minute weekly manual task (checking console, exporting report) to an automated process run in minutes.
### Advanced Features
- **Tines Automatic Mode (AI Integration):** Uses build-time AI to generate custom Python code for data transformation based on user guidance. Once saved, only the generated code executes, improving efficiency and reducing dependency on manual coding.
- **Workflow Orchestration:** Uses Tines to coordinate multiple steps: form intake, data processing, and notification delivery.
- **Proactive Monitoring:** Enables management to track trends in RFM occurrences beyond manual weekly checks.
## Indicators of Compromise
This is a defensive automation workflow; therefore, traditional IOCs are not applicable. The primary integrations involve accessing the CrowdStrike API, which would require valid API credentials configured within the Tines connection objects.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Interaction with the CrowdStrike API endpoint (specific URL not detailed, but required for operation).
- Behavioral Indicators: Automated API queries against the CrowdStrike console endpoint designed to pull host management status data.
## Associated Threat Actors
This is a security operations tool/procedure created and shared by the security community (e.g., Tom Power at The University of British Columbia) to improve defensive posture and efficiency. No threat actors are associated with this specific deployment method.
## Detection Methods
Since this is an internal automation workflow, detection focuses on monitoring the platform it runs on (Tines) and usage patterns:
- **Signature-based detection:** N/A (It is a legitimate integration).
- **Behavioral detection:** Monitoring for excessive or unexpected programmatic access to the CrowdStrike API endpoints responsible for retrieving RFM status.
- **YARA rules if available:** N/A
## Mitigation Strategies
The goal of this workflow is a positive mitigation strategy for operational efficiency:
- **Prevention measures:** Implementing workflow automation platforms (like Tines) to manage repetitive security tasks.
- **Hardening recommendations:** Ensuring Tines connections to external APIs (like CrowdStrike) use least-privilege service accounts.
## Related Tools/Techniques
- **Tines:** The core platform used for building and running the automation workflow. The workflow leverages Tines Pages and build-time AI features.
- **CrowdStrike Falcon:** The endpoint security system that provides the data source (RFM status).
- **General SOAR/Automation Platforms:** Other no-code automation platforms could achieve similar results, though potentially lacking the specific Tines features like Pages or the integrated AI code generation in Automatic Mode.