Easy methods to Generate a CrowdStrike RFM Report With AI in Tines

Run by the workforce at orchestration, AI, and automation platform Tines, the Tines library incorporates pre-built workflows shared by actual safety practitioners from throughout the group, all of that are free to import and deploy through the Neighborhood Version of the platform.

Their bi-annual “You Did What with Tines?!” competitors highlights a few of the most attention-grabbing workflows submitted by their customers, a lot of which show sensible functions of enormous language fashions (LLMs) to deal with advanced challenges in safety operations.

One current winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Energy, a safety analyst at The College of British Columbia, it makes use of orchestration, AI and automation to scale back the time spent on handbook reporting.

Right here, we’ll share an outline of the workflow, plus a step-by-step information for getting it up and operating.

The issue – time-consuming reporting

The workflow’s builder, Tom Energy, explains, “The CrowdStrike Falcon sensor goes into Reduced Functionality Mode (RFM), usually because the operating system (OS) or kernel version is too old or too new for the sensor to support in kernel mode. Every week, SecOps would log into the Falcon console, and filter the host management console for endpoints in RFM for the last week. We would generate the report and download it.”

This course of supplied important knowledge for figuring out kernel updates inflicting RFM, notably for Linux endpoints. Nevertheless, it required the workforce to manually verify whether or not CrowdStrike had launched a brand new sensor model appropriate with the newest kernel updates.

“The entire process took about 30 minutes each week,” Tom provides. “Over the course of a year, that added up to more than 25 hours of time we could have spent on other cybersecurity priorities.”

The answer – automated RFM reporting with AI

CrowdStrike RFM Report

Tom’s workflow automates the monitoring and reporting of Falcon Sensor RFM throughout hosts. By leveraging Tines’ AI-driven Computerized Mode, it generates customized code to streamline report creation. The workflow not solely produces common, constant experiences but additionally allows administration to observe tendencies in RFM occurrences, supporting proactive system well being administration and sooner decision-making.

The automated workflow eliminates the necessity for handbook reporting by permitting analysts to submit requests through a easy internet kind. Inside minutes, the workflow retrieves knowledge, processes it, and delivers an actionable e mail report, full with detailed insights and a CSV attachment.

Instance output:

This is a pattern of the auto-generated e mail and report acquired by the workforce:

CrowdStrike RFM Report
CrowdStrike RFM Report

Listed below are a few of the key advantages of utilizing this workflow:

  • Frees analysts to deal with high-priority cybersecurity duties.
  • Reduces handbook effort and the potential for human error.
  • Delivers constant, dependable experiences for improved productiveness.
  • Enhances decision-making by offering real-time insights.
  • Boosts morale by eradicating a tedious and repetitive process.
CrowdStrike RFM Report

Workflow overview

Instruments used:

  • Tines – a workflow orchestration, AI and automation platform that is well-liked with safety groups. It is attainable to make use of the free Neighborhood Version of Tines to construct and run this workflow if you do not have a paid account. AI should be enabled in your tenant.
  • CrowdStrike – endpoint detection and response (EDR) platform. This workflow integrates with CrowdStrike Falcon’s API to retrieve knowledge about endpoints in Lowered Performance Mode (RFM). Whereas Falcon offers strong endpoint visibility, it lacks native automation for recurring RFM experiences.

The workflow is initiated when an online kind is submitted, triggering the method to generate CrowdStrike RFM experiences.

The primary motion retrieves an inventory of gadget IDs from CrowdStrike Falcon’s API. If the record is bigger than what CrowdStrike returns within the first batch, a number of calls are made to paginate by way of the total record.

As soon as all of the gadget particulars are retrieved, the workflow consolidates them right into a single useful resource. This useful resource acts as the muse for evaluation, the place the variety of Linux, Home windows, and Mac hosts is calculated and appended to the info.

Utilizing the consolidated useful resource, the workflow generates an HTML abstract desk to current the info in a structured format. This desk is then transformed right into a CSV file, making it appropriate for reporting functions.

The CSV report is emailed to stakeholders for assessment. To keep up effectivity and knowledge hygiene, the workflow purges the short-term useful resource after the e-mail is shipped, guaranteeing it’s prepared for the subsequent cycle.

By automating these steps, the workflow eliminates handbook effort, reduces the danger of errors, and offers constant, up-to-date reporting on gadgets in lowered performance mode throughout the setting.

Configuring the workflow – step-by-step information

CrowdStrike RFM Report
  1. Log into Tines or create a brand new account.
  2. Guarantee AI is enabled in your tenant. For this, it is advisable to be the tenant proprietor. Choose the account settings drop-down within the high left of your display, and verify the field to show AI on.
  3. CrowdStrike RFM Report
  4. Create your CrowdStrike credential. From the credentials web page, choose New credential, scroll right down to the CrowdStrike credential and full the required fields.
  5. 7
  6. Navigate to the pre-built workflow within the library.
  7. 8
  8. Choose import. This could take you straight to your new pre-built workflow.
  9. 9
  10. Configure your actions. For instance, it’s possible you’ll wish to edit the format of the Tines web page that kicks off the workflow.
  11. Take a look at the workflow. Submit a picture through the shape to check your workflow.
  12. Publish your workflow and share the Web page URL along with your desired customers.

Constructing in different automation platforms

You might use one other no-code automation platform to construct an identical service, though it is price noting that a few of the options on this workflow are distinctive to Tines:

  • Pages: This workflow is kicked off by a submission to a kind on an online web page. That is constructed utilizing Tines’ Pages characteristic.
    • Various: Use a scheduled set off to kick off the workflow.
  • Occasion Rework in Computerized Mode: This characteristic makes use of build-time AI to compose Python code based mostly on the steerage and the enter the builder offers. When you save your adjustments, the code is locked in place. Which means that when the motion runs, solely the code executes, and no AI is concerned.
    • Various: Write Python code manually to remodel your knowledge.

If you would like to discover AI in Tines for your self or take a look at out this workflow, you’ll be able to join a free account together with AI performance.

Discovered this text attention-grabbing? This text is a contributed piece from one in all our valued companions. Comply with us on Twitter ï‚™ and LinkedIn to learn extra unique content material we put up.

Recent articles

Hackers Use Microsoft MSC Information to Deploy Obfuscated Backdoor in Pakistan Assaults

î ‚Dec 17, 2024î „Ravie LakshmananCyber Assault / Malware A brand new...

INTERPOL Pushes for

î ‚Dec 18, 2024î „Ravie LakshmananCyber Fraud / Social engineering INTERPOL is...

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

î ‚Dec 18, 2024î „Ravie LakshmananCyber Assault / Vulnerability Risk actors are...