Tines summer release 2019

Tines summer release 2019

On today’s blog we’re delighted to announce details of the latest and greatest Tines features launched in the Tines Summer 2019 release. The Tines Summer Release is jam-packed with new features including:

  • Agent Templates & Private Templates
  • Improved Searching
  • Time-based Deduplication
  • Emit and Tag Duplicate Events
  • Emit and Tag Non-Matching Trigger Events
  • Asynchronous Event Loading

Existing Cloud tenants always stay on the latest release so Tines Cloud customers do not need to take any action. Tines On-Premise and Kubernetes customers can login to the Tines customer portal and download the release and installation instructions now.

Agent Templates

You asked, we answered! The most exciting figure of the Tines Summer Release 2019 is Agent Templates. Tines now has automation templates for nearly 1,000 security actions commonly performed by security teams for the most popular security products.

Sample templates include:

  • Create A New Issue in Jira
  • Isolate a Host in Carbon Black
  • Search for Hash in VirusTotal
  • Disable a User Account in Microsoft Graph
  • Retrieve Email Headers in Outlook
  • Upload an Attachment to Box
  • Search for Details within Tickets in Service Now
  • Create a New Alert in The Hive
  • Upload Samples to the Hybrid Analysis Sandbox
  • Scan a DynamoDB Table
  • Retrieve Analysis Results from App.Any.Run

It’s important to note that Tines integrates automatically with any tool in your stack with any API, regardless of the templates that exist. Templates help jump-start automation stories but are just that: a springboard on which you can begin automating all your manual workflows!

To view all available templates now, simply create a new agent within Tines. You will be presented with a list of hundreds of automatically generated templates which can be filtered by vendor, agent type, and privacy level. You can also search on the right hand side for specific terms like “Carbon Black” or “MD5”.

Users can still build agents from scratch using the “Start with a Blank Agent” tab.

Got a suggestion for agent templates that we’re missing? Email hello@tines.io and we’ll add them in right away!

Private Templates

In addition to the thousand public templates that are now available, Tines has also enabled “Private Templates”. If you have a private API that you use internally, or if you have custom fields and configurations for your own tools (like Jira, Splunk, AWS etc.) you can create your own Private Agent Templates within Tines. These templates are viewable to everyone within your company, and can be shared among all your Tines production and test tenants.

Creating Private Templates

To create a Private Template, find an agent that you have saved, and in the Actions Menu click “Create Template”. (Note, only Tines admins are able to create Private Templates).

Fill the appropriate details in the “Create a New Agent Template” page

Your template will then be visible in the “Manage Templates” page in the Admin Tab in your Tines tenant.

In addition, you will be able to choose this template from within the “Create New Agent” templates page.

You can also view all your Private Agent Templates using the Visibility: “Private” filter on the left hand side of the Agent Template search page.

Retry on Status Failure in HTTP Request Agents

When trying to automate manual processes using Tines, custom scripts, or any automation platform, customers often run into a stubmling block: when an action fails or is interrupted (e.g. when sites are down, or when the receiving server detects an error, or is rate limited the script) the entire automation flow fails. Common causes of this are rate limits on the server or a simple network blip. When an error occurs in automation stories or in scripts it can be tough to detect, and in some cases the entire automation flow fails.

To tackle this problem in Tines you can now add an optional flag to every http request agent called “fail_on_status”. With this flag enabled, if Tines receives a non-2xx http response code when an agent runs it will re-run the agent 40 times with an exponential back-off over a 30 day period, until it receives a 2xx http response code. Now when Jira is down, or when VirusTotal returns a 429 rate limit response code, Tines will auto-rerun the agent with the same incoming event. Your Tines automation story will then continue as soon as the service is back-up. A sample configuration is below

"url": "https://urlscan.io/api/v1/scan/",
"content_type": "json",
"method": "post",
    "url": "https://tines.io/",
    "public": "on",
    "API-Key":"{% credential urlscan_io %}"
"fail_on_status": "1",
"expected_update_period_in_days": "1

Improved Search

We’re delighted to announce that the Summer Release includes a much improved search interface within Tines. The Search bar in the top right hand corner will now search and return results for Stories, Agents and Credentials. It performs a full text search within agents configurations too, so you can find all agents which reference a particular hostname or use a particular command. Try it out now in your own tenant!

Time Based Deduplication

One of the most frequent causes of fatigue in information security teams is alert overload. That’s why in Tines we have a “deduplication” mode within Event Transformation Agents – to suppress noisy alerts and prevent analysts having to repeat the same work over and over again.

In Tines we recognize that you often need to suppress events for a set period rather than than just ignoring all duplicate events. If an alert fires, you may want to suppress that same alert for another 24 hours, or simply not see it for another 100 events, or ever again. As a result, we have enhanced our deduplication mode in the event transformation agent – you can now deduplicate based on Time Period or based as well as based on a Lookback through previous emitted events.

  • A time-based deduplication analyzes each event that is received for uniqueness, and subsequent matching events will not be emitted until this time period has elapsed. A sample time based deduplication is below.
   "mode": "deduplicate",
   "period": "86400",
   "path": "{{.id}}"

  • A lookback deduplication will examine the previous X events for uniqueness, regardless of when the events happened. It takes a parameter “lookback” which will be the number of events to store which Tines checks against for uniqueness.
  "mode": "deduplicate",
  "lookback": "100",
  "path": "{{.person.name}}"

Emit Duplicate and Emit on No Match

Emit Duplicates in Event Transformation Agents

A complementary feature launched along with Time Based Deduplication is an emit_duplicate flag for deduplication events and an emit_no_match for trigger events.

When the emit_duplicate flag is set to “true”, in deduplication mode, duplicate events are emitted by the Event Transformation Agent. Duplicate events return the value “unique_event”:”false” in the emitted event, non-duplicate events will return the value “true”. Using this flag, users can create more complex stories, e.g. adding details of duplicate events to existing tickets, creating lower priority duplicate alerts, or taking a lower-risk action based on the fact it is a duplicate event. A sample configuration is below.

Emit on No Match in Trigger Agents

Similar to the “Emit Duplicate” flag, the emit_no_match flag is also available within Trigger Agents. Events which do not match the trigger agent’s rules can now be emitted, but will have the field “rule_matched” value set to ‘false’. Events which match the rule will have the “rule_matched” value set to ‘true’. This new feature allows users build and maintain a set of trigger rules within one agent.

A sample configuration for a trigger agent with emit_no_match set to true is below.

  "rules": [
      "type": "regex",
      "path": "{{.individual_url}}",
      "value": "tines.io"
  "emit_no_match": "true"

Asynchronous Event Loading

The last major feature of the Summer Release is an under-the-hood user experience improvement. When using Tines to automate AWS workflows; collect logs; analyze malware; and other common use-cases, some events in Tines can become extremely large. Previewing these Events within Tines is now much faster thanks to our new Asynchronous Event Loading feature. Tines will now only show the event data that the user wants to see. Expanding the json in the View Events page will then dynamically pull back the relevant data from the Tines database. Asynchronous Event Loading allows users to quickly preview the relevant section of the event, without waiting for the entire event to be downloaded. Each event should now take just fractions of a second to load making for a more seamless user experience.

That’s all for this year’s Summer Release. To get on the beta to test new features as they are being developed, simply talk to your Tines account manager.

To learn more about Tines, book a demo or get started with a fully-featured Community Edition account. It’s free to use, requires no up-front commitment and includes a generous automation capacity.

Eoin Hinchy
Eoin Hinchy
Founder, Tines