Introducing Send-to-Story

Written by Eoin Hinchy

Teams regularly need to perform a task or a set of tasks in multiple different automation stories. For example, a threat intelligence Story and a phishing response Story may use the same procedure to analyze a URL; similarly, a user de-provision Story and a vulnerability management Story may require you to find and then relate tickets in Jira-based on a search term. Tines can now help you solve this problem once and for all!

Continuing our deep-dive into new features included in the Tines Autumn 2019 release, we’re proud to detail information about our latest feature ‘Send to Story‘.

Rather than creating the same set of Actions in multiple stories (thus violating the DRY-principle), the Send to Story Action allows users to create “sub-stories” to which events can be sent from other stories. When the sub-story receives an event, it will perform its function and when finished, emit an event from the sending Action.

Sub-stories 

Sub-stories work the exact same as normal Tines Stories. The only difference is that a sub-story has an entry Action and an exit Action. The entry Action must be a webhook-type Action. The exit Action must be a message-only mode event transformation Action.

Enabling a Story for Send to Story (creating a sub-story) 

From a Storyboard, when no Actions are selected in the properties panel, there is a checkbox to enable a Story for Send to Story. When this checkbox is clicked, you’ll be asked to specify entry and exit Actions. A sub-story can only have one entry and one exit Action.

Enable sub-story from Storyboard

Configure send to Story

Entry Action 

When a Send to Story Action sends an event to a sub-story, the entry Action will emit an event to its receiver actions. Entry Actions must be of type Webhook.

Exit Action 

The Exit Action is the last Action in a sub-story and must be a message-only mode event transformation Action. The content specified in the exit Action will be emitted by the Action that originally sent the event to the sub-story.

Sending to a Sub-Story 

When you need to send data to a sub-story, you should use a Send to Story Action with the Story widget. For example, say we have a sub-story called Substory we would send events to this sub-story with a Send to Story Action.

You can create a new Send to Story Action by dragging an empty Action from the Action library panel.

Send to story agent animation

{
  "story": "{% story Substory %}",
  "payload": {
    "url": "http://evil-site.com"
  }
}

The entry Action in Sub-story will then emit an event similar to the below:

{
  "receive_url_to_analsye": {
    "url": "http://evil-site.com",
    "#event_id": "1029",
    "#agent_id": "21"
  }
}

When this event has run down the Story, the exit Action will emit an event, and the calling Send to Story Action will also emit an event that matches the exit Action’s configuration.

For example, let’s say the HTTP Request Action above was named “Analyse URL” and we have the following exit Action defined in the sub-story:

{
  "mode": "message_only",
  "uppercase_url": "{{.receive_url_to_analsye.url | upcase }}"
}

When the sub-story is complete Analyze URL will emit an event similar to the below:

{
  "analyse_url": {
    "uppercase_url": "HTTP://EVIL-SITE.COM"
  }
}‍

Demo Story 

To illustrate this further, you can download a sample Story, ‘analyze URL in urlscan’ here.

Note, to import and run this Story you’ll need to create a credential, urlscan_io, using an API Key from urlscan.io.)

This Story is designed to submit URLs to urlscan for analysis. It will then wait for 30 seconds while urlscan processes the results, and, when complete, return the verdict.

This analyze URL in urlscan process now be can now be called from any other Tines Story to analyze URLs using a Send to Story Action. You can also run the Action from within the Sub-Story itself and hardcode a URL to analyze. This way you can just click “Run” and shortly after Tines will return with the results of the URL Analysis.

Send to Story Ideas 

Other repeatable processes our customers have automated include:

  • Analyze an IP Address, Domain or Email Address

  • Search a SIEM for visits to a Domain

  • Lock a User’s Account

  • Update a JIRA Ticket

  • Analyze a Suspicious File in a Sandbox

  • Find and Relate Tickets in a Case Management System

  • Find and Send a User an Instant Message

*Please note we recently updated our terminology. Our "agents" are now known as "Actions," but some visuals might not reflect this.*

Built by you, powered by Tines

Talk to one of our experts to learn the unique ways your business can leverage Tines.