July 9, 2025
How To Automate Ticket Creation, Device Identification and Threat Triage With Tines
Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform’s Community Edition. A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at

Jul 09, 2025The Hacker NewsSecurity Operations / Automation

Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.

A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at Intercom, the creators of fin.ai, the workflow makes it easier to determine the severity of a security alert and escalate it seamlessly, depending on the device owner’s response. “It’s a great way to reduce noise and add context to security issues that are added on our endpoints as well,” Lucas explains.

In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.

The problem – lack of integration between security tools

For security teams, responding to malware threats, analyzing their severity, and identifying the device owner so they can be contacted to resolve the threat, can take up a lot of time.

From a workflow perspective, teams often have to:

  • Manually respond to CrowdStrike events
  • Enrich the alert with additional metadata
  • Document and alert the device owner in Slack
  • Notify on call teams via PagerDuty

Going through this process manually can result in delays and increase the chances of human error.

The solution – automated ticket creation, device identification, and threat triage

Lucas’s prebuilt workflow automates the process of taking the malware alert and creating the case – while crucially notifying the device owner and the on-call team. This workflow helps security teams accurately identify the level of threat faster by:

  • Detecting new alerts from Crowdstrike
  • Identifying and notifying the device owner
  • Escalating critical issues

The result is streamlined response to malware security alerts that ensures they are dealt with quickly, no matter what the severity.

Key benefits of this workflow:

  • Reduced remediation time
  • Device owner is kept informed
  • Clear remediation and escalation pathways
  • Centralized management system

Workflow overview

Tools used:

  • Tines – workflow orchestration and AI platform (free Community Edition available)
  • Crowdstrike – threat intelligence and EDR platform
  • Oomnitza – IT asset management platform
  • Github – developer platform
  • PagerDuty – incident management platform
  • Slack – team collaboration platform

How it works

Part 1

  • Get a security alert from CrowdStrike
  • Find the device that the alert was triggered and look up its details
  • Create a ticket in GitHub for the alert and raise the issue in a Slack message
  • If the device is owned by a user and it is a low priority,
    • Send the owner a message requesting escalation
  • If the device is owned by a user and it is a high priority,
    • Create a PagerDuty Event to notify the on-call analyst
    • Informing the owner of the ongoing issue

Part 2

  • Get a user interaction with the Slack message
  • Enrich the GitHub issue with the users response
  • If the owner escalates the issue
    • Create a PagerDuty Event to notify the on-call analyst

Configuring the workflow – step-by-step guide

1. Log into Tines or create a new account.

2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.

3. Set up your credentials

You’ll need five credentials added to your Tines tenant:

  • CrowdStrike
  • Oomnitza
  • Github
  • PagerDuty
  • Slack

Note that similar services to the ones listed above can also be used, with some adjustments to the workflow.

From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the CrowdStrike, Oomnitza, Github, PagerDuty, and Slack credential guides at explained.tines.com if you need help.

4. Configure your actions.

  • Set your environment variables. This includes your:
    • Slack IT channel alerting webhook (`slack_channel_webhook_urls_prod`)
    • CrowdStrike/GitHub severity priority mapping (`crowdstrike_to_github_priority_map`)
  • Configure CrowdStrike to alert the New CrowdStrike Detection webhook when a detection is created
  • Configure your SlackBot interactivity URL to the Receive Slack Button Push webhook

5. Test the workflow.

6. Publish and operationalize

Once tested, publish the workflow.

If you’d like to test this workflow, you can sign up for a free Tines account.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme

U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme

DoNot APT Expands Operations, Targets European Foreign Ministries with LoptikMod Malware DoNot APT Expands Operations, Targets European Foreign Ministries with LoptikMod Malware

DoNot APT Expands Operations, Targets European Foreign Ministries with LoptikMod Malware

Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks

Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks

Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server

Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server

You may have missed

Bitcoin rises to fresh record above $112,000, helped by Nvidia-led tech rally Bitcoin rises to fresh record above 2,000, helped by Nvidia-led tech rally

Bitcoin rises to fresh record above $112,000, helped by Nvidia-led tech rally

U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme

U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme

How To Automate Ticket Creation, Device Identification and Threat Triage With Tines How To Automate Ticket Creation, Device Identification and Threat Triage With Tines

How To Automate Ticket Creation, Device Identification and Threat Triage With Tines

Dark Dwarfs: New Star-Like Objects May Reveal Nature of Dark Matter Dark Dwarfs: New Star-Like Objects May Reveal Nature of Dark Matter

Dark Dwarfs: New Star-Like Objects May Reveal Nature of Dark Matter

NASA Astronaut Captures Rare Red Sprite Over Storm from Space Station NASA Astronaut Captures Rare Red Sprite Over Storm from Space Station

NASA Astronaut Captures Rare Red Sprite Over Storm from Space Station

Progress 92 Spacecraft Docks at ISS with Vital Supplies for Expedition 73 Progress 92 Spacecraft Docks at ISS with Vital Supplies for Expedition 73

Progress 92 Spacecraft Docks at ISS with Vital Supplies for Expedition 73