Transcript
Hey everyone, happy Friday! We are continuing with our I Focus in Friday flows and this time bringing back one of our now multi recurring guests, Connor Dunn. How are you doing Connor? Not too bad. How are you Blake. Doing well, doing well. Thanks for jumping on with us today to demo a story that you built. So we we've done a few AI related stories since we released some of the the new features in the tines platform. Um, last one was a customer example, um, from our friends over at MyFitnessPal. Um, but today we're going to demo a story that you built and, and also show off a new section of the the story library. So I'm excited for it. Um, let's maybe jump into that new story library layout and then, and then we can jump to the actual story that you're going to walk us through today. Yeah. So, um, as you were saying, we added a new section to our finding page on the library. So we had by team and by use case, but we now also have by feature. So these are tiny specific features that we've added internally. So case and records we've had for a while pages and collections we've also had. But now we've got new one for I and tines. So by going to this section you can see different stories that are in use. The new I action um internally. So actually and very featured is the story that we're actually demoing here today on creating, uh, cases and acting on the CrowdStrike alerts using the new AI action. So this is what the story looks like internally. Um, so if we give this a quick run, what this is going to do is search CrowdStrike for new open alerts. And we're going to go and use the AI action first to generate a ticket body for our AI action. So if we have a look at what. Sorry, I think I tested this earlier so that the duplicate is not going to work. But if I just re-emit that, we'll have our eye action trigger. And while that loads, if we just have a look at what the alert looks like, there's a lot of detail here. Um, there's a lot of information and not all of it is very clear. So the idea was, why don't we use AI to simplify this? So now that the case is created, um, with absolutely with very little work on our end, we are able to design a case that looks like this. Um, so we can see our subject line is indicators of compromises are detected. We've got when they're detected. And we have a bunch of different indicators on the type of indicator that is there. Um, as you can see, we'll have also a bunch of actions taken. That is the second use of AI in this story. Um, if we go back here. Once we've normalized our security event data, we can then also use AI to act as a security analyst and to actually act on a response. So in this case, we have four different responses that can be taken in terms of any alerts. So suspending any user accounts we could isolate the host that is being alerted on blocked some URLs or alert the security team using Pagerduty. Um, this will also give a bit of a confidence interval. So how likely it is that this action should be run? As you can see, block URL had a high confidence. So it's after running and blocking all these values. Now we have ran into a bit of an error. And in the CrowdStrike side of things could be that they are already some of them are already blocked. But um, It also if that confidence level is not high enough, for example, isolate the machine. The AI analyst said, yeah, these are some stuff that should be blocked, but we don't necessarily want to isolate that machine yet, but it's a possibility. I can come here and I can manually isolate that machine. Um, and the final thing it also does is since it created a pagerduty incident, I can very quickly open up that incident to see who's assigned and get the quick details there. Awesome. Great. That's, um, quick overview of the, uh, story as well as the other half is automatically. So these are the automatic triggers. And these are allow you to undo each of those actions. Great. Okay. So if I play that back to you, the first half, um, is making sense of data that otherwise would have taken quite a bit of time to, to enrich and, and even figure out what's going on. And then once, once we figured out what, what we're dealing with the second half of the story and how you're using the eyes to then actually take action. Um, from there. Exactly. But as well as just understanding this information. What this also allows us to do is if we are using multiple, um, editors, for whatever reason or multiple tools, we can have all these tools going into the same AI action and generating the same schema. Yeah. Very useful. Okay, cool. So was this a story? I'm curious if if this existed and then the AI helped simplify the story and make it more efficient, or is it something that we really couldn't do before? But now we've added a new capability with what you've built here? Yeah. So we've always had stories on. Um, taking alerts from one place, enriching the alerts and creating a case for teams to act on and for bringing all that information together. But what this helps us do, the first part is kind of just a reimagining of that, to help make it easier to parse that information and make it easier to generate these alerts. Um, and then as well, when we come down to the second half, we've always had these things where we can trigger actions through cases, but it would always rely on us doing some logic of if there is a endpoint found, we will add this, um, isolate host endpoint. But by doing it this way, just again makes it that's a bit easier to customize actions and also allows it to take action itself if it believes that the, um, threat is high enough. Well, great. Um, well. Awesome workflow. You very quickly see how this is going to speed up, uh, a lot of time in handling a CrowdStrike alert. Uh, maybe just to put a bow tie on things. Would you mind jumping back to the story library? Um, and just highlighting some of the work that you and the labs team here have done to help organize these? So this one we went through is that featured story you're seeing there? Um, but there's also a number of, of stories in this section, uh, some of which are using the tines AI and then a lot of which are using other tools like, um, open AI, NVIDIA some of these other models that are available and popularly used. So, um, if it's something you want to explore, jump over to this, this new section. Thank you Connor. Appreciate it. Thank you. Blake. Yeah. Talk to you soon. Talk to you soon.