Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform.
Their bi-annual “You Did What with Tines?!” competition highlights some of the most interesting workflows submitted by their users, many of which demonstrate practical applications of large language models (LLMs) to address complex challenges in security operations.
One recent winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Power, a security analyst at The University of British Columbia, it uses orchestration, AI and automation to reduce the time spent on manual reporting.
Here, we’ll share an overview of the workflow, plus a step-by-step guide for getting it up and running.
The workflow’s builder, Tom Power, explains, “The CrowdStrike Falcon sensor goes into Reduced Functionality Mode (RFM), usually because the operating system (OS) or kernel version is too old or too new for the sensor to support in kernel mode. Every week, SecOps would log into the Falcon console, and filter the host management console for endpoints in RFM for the last week. We would generate the report and download it.”
This process provided critical data for identifying kernel updates causing RFM, particularly for Linux endpoints. However, it required the team to manually check whether CrowdStrike had released a new sensor version compatible with the latest kernel updates.
“The entire process took about 30 minutes each week,” Tom adds. “Over the course of a year, that added up to more than 25 hours of time we could have spent on other cybersecurity priorities.”
Tom’s workflow automates the tracking and reporting of Falcon Sensor RFM across hosts. By leveraging Tines’ AI-driven Automatic Mode, it generates custom code to streamline report creation. The workflow not only produces regular, consistent reports but also enables management to monitor trends in RFM occurrences, supporting proactive system health management and faster decision-making.
The automated workflow eliminates the need for manual reporting by allowing analysts to submit requests via a simple web form. Within minutes, the workflow retrieves data, processes it, and delivers an actionable email report, complete with detailed insights and a CSV attachment.
Here’s a sample of the auto-generated email and report received by the team:
Here are some of the key benefits of using this workflow:
Tools used:
The workflow is initiated when a web form is submitted, triggering the process to generate CrowdStrike RFM reports.
The first action retrieves a list of device IDs from CrowdStrike Falcon’s API. If the list is larger than what CrowdStrike returns in the first batch, multiple calls are made to paginate through the full list.
Once all the device details are retrieved, the workflow consolidates them into a single resource. This resource acts as the foundation for analysis, where the number of Linux, Windows, and Mac hosts is calculated and appended to the data.
Using the consolidated resource, the workflow generates an HTML summary table to present the data in a structured format. This table is then converted into a CSV file, making it suitable for reporting purposes.
The CSV report is emailed to stakeholders for review. To maintain efficiency and data hygiene, the workflow purges the temporary resource after the email is sent, ensuring it is ready for the next cycle.
By automating these steps, the workflow eliminates manual effort, reduces the risk of errors, and provides consistent, up-to-date reporting on devices in reduced functionality mode across the environment.
You could use another no-code automation platform to build a similar service, although it’s worth noting that some of the features in this workflow are unique to Tines:
If you’d like to explore AI in Tines for yourself or test out this workflow, you can sign up for a free account including AI functionality.
