How To Automate Alert Triage With AI Brokers and Confluence SOPs Utilizing Tines

Sep 19, 2025The Hacker InformationAI Automation / Safety Operations

Run by the workforce at workflow orchestration and AI platform Tines, the Tines library options over 1,000 pre-built workflows shared by safety practitioners from throughout the group – all free to import and deploy by means of the platform’s Group Version.

The workflow we’re highlighting streamlines safety alert dealing with by routinely figuring out and executing the suitable Customary Working Procedures (SOPs) from Confluence. When an alert triggers, AI brokers analyze it, find related SOPs, and carry out required remediation steps – all whereas conserving the on-call workforce knowledgeable through Slack.

It was created by Michael Tolan, Safety Researcher L2 at Tines, and Peter Wrenn, Senior Options Engineer at Tines.

On this information, we’ll share an summary of the workflow, plus step-by-step directions for getting it up and operating.

The issue – handbook alert triage and SOP execution

For safety groups, responding to alerts effectively requires shortly figuring out the menace kind, finding the suitable SOP, and executing the required remediation steps.

From a workflow perspective, groups typically should:

• Manually analyze incoming safety alerts
• Search by means of Confluence for related SOPs
• Doc findings and actions in case administration techniques
• Execute a number of remediation steps throughout completely different safety instruments
• Replace the case administration system once more after the actual fact
• Notify stakeholders about incidents and actions taken

This handbook course of is time-consuming, susceptible to human error, and may result in inconsistent dealing with of comparable alerts.

The answer – AI-powered alert triage with automated SOP execution

This prebuilt workflow automates all the alert triage course of by leveraging AI brokers and Confluence SOPs. The workflow helps safety groups reply sooner and extra persistently by:

• Utilizing AI to investigate and classify incoming alerts
• Routinely finding related SOPs in Confluence
• Creating structured case data for monitoring
• Deploying a second AI agent (subagent) to execute remediation steps
• Documenting all actions and notifying the on-call workforce through Slack

The result’s a streamlined response to safety alerts that ensures constant dealing with in accordance with established procedures.

Key advantages of this workflow

• Diminished imply time to remediation (MTTR)
• Constant utility of safety procedures
• Complete documentation of all actions taken
• Diminished analyst fatigue from repetitive duties
• Improved visibility by means of automated notifications

Workflow overview

Instruments used:

• Tines – workflow orchestration and AI platform (free Group Version out there)
• Confluence – data administration platform for SOPs

This particular workflow additionally makes use of the next items of software program. Nonetheless, you need to use no matter enrichment/remediation instruments presently current inside your know-how stack alongside Tines and Confluence.

• CrowdStrike – menace intelligence and EDR platform
• AbuseIPDB – IP status database
• EmailRep – e-mail status service
• Okta – identification and entry administration
• Slack – workforce collaboration platform
• Tavily – AI analysis instrument
• URLScan.io – URL evaluation service
• VirusTotal – file and URL scanning service

The way it works

Half 1: Alert Ingestion and Evaluation

• Obtain safety alert from built-in safety instruments
• AI agent analyzes the alert to find out kind and severity
• System searches Confluence for related SOPs based mostly on alert classification
• Create a case report with alert particulars and recognized SOP

Half 2: Remediation and Documentation

• Second AI agent critiques the case and SOP directions
• AI agent orchestrates remediation actions throughout acceptable safety instruments
• All actions are documented within the case historical past
• Slack notification is distributed to the on-call workforce with alert particulars and actions taken

Configuring the workflow – step-by-step information

1. Log into Tines or create a brand new account.

2. Navigate to the pre-built workflow within the library. Choose import.

3. Arrange your credentials

You will want credentials for all of the instruments used on this workflow. You possibly can add or take away no matter instruments you want to fit your surroundings.

• Confluence
• CrowdStrike
• AbuseIPDB
• EmailRep
• Okta
• Slack
• Tavily
• URLScan.io
• VirusTotal

From the credentials web page, choose New credential, scroll right down to the related credential and full the required fields. Observe the credential guides at defined.tines.com if you happen to need assistance.

4. Configure your actions.

Set your surroundings variables. On this specific workflow, that particularly requires setting the Slack channel for notifications (hardcoded to #alerts by default, however might be adjusted within the Slack motion).

5. Customise the AI prompts

The workflow contains two key AI brokers:

• Alert Evaluation Agent: Customise the immediate to assist determine alert varieties
• Remediation Agent: Customise the immediate to information remediation actions

6. Take a look at the workflow.

Create a check alert to confirm:

• Alert is correctly labeled
• Right SOP is retrieved from Confluence
• Case is created with acceptable particulars
• Remediation steps are executed
• Slack notification is distributed

7. Publish and operationalize

As soon as examined, publish the workflow and combine along with your safety instruments to start receiving reside alerts.

If you would like to check this workflow, you possibly can join a free Tines account.