Article Details

How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines. Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform's Community Edition. The workflow we are highlighting streamlines security alert handling by automatically identifying and executing the appropriate Standard Operating Procedures (SOPs) from Confluence. When an alert triggers, AI agents analyze it, locate relevant SOPs, and perform required remediation steps - all while keeping the on-call team informed via Slack. It was created by Michael Tolan, Security Researcher L2 at Tines, and Peter Wrenn, Senior Solutions Engineer at Tines. In this guide, we'll share an overview of the workflow, plus step-by-step instructions for getting it up and running. The problem - manual alert triage and SOP execution For security teams, responding to alerts efficiently requires quickly identifying the threat type, locating the appropriate SOP, and executing the required remediation steps. From a workflow perspective, teams often have to: This manual process is time-consuming, prone to human error, and can lead to inconsistent handling of similar alerts. The solution - AI-powered alert triage with automated SOP execution This prebuilt workflow automates the entire alert triage process by leveraging AI agents and Confluence SOPs. The workflow helps security teams respond faster and more consistently by: The result is a streamlined response to security alerts that ensures consistent handling according to established procedures. Key benefits of this workflow Workflow overview Tools used: This specific workflow also uses the following pieces of software. However, you can use whatever enrichment/remediation tools currently existing within your technology stack alongside Tines and Confluence. How it works Part 1: Alert Ingestion and Analysis Part 2: Remediation and Documentation Configuring the workflow - step-by-step guide 1. Log into Tines or create a new account. 2. Navigate to the pre-built workflow in the library. Select import. 3. Set up your credentials You'll need credentials for all the tools used in this workflow. You can add or remove whatever tools you wish to suit your environment. From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the credential guides at explained.tines.com if you need help. 4. Configure your actions. Set your environment variables. In this particular workflow, that specifically requires setting the Slack channel for notifications (hardcoded to #alerts by default, but can be adjusted in the Slack action). 5. Customize the AI prompts The workflow includes two key AI agents: 6. Test the workflow. Create a test alert to verify: 7. Publish and operationalize Once tested, publish the workflow and integrate with your security tools to begin receiving live alerts. If you'd like to test this workflow, you can sign up for a free Tines account.