Tines

Complete integration package for Tines that extends far beyond the original six templates — 42 pre-configured actions covering the full breadth of the Stairwell API, along with 5 real-world example workflows.

Getting Started

Stairwell's actions are now available natively within Tines as action templates — there's no need to download or import them manually. In the Tines story editor, open the action template library, search for Stairwell, and drag any action directly into your story.

For setup guidance (API token generation, credentials, and the example workflows), see:

• Installation Guide
• Example Workflows (import as a Story)

What's Included

Core Integration (42 Actions)

The complete integration provides organized access to all Stairwell capabilities:

File Operations (3 actions)

• File Enrichment — Get comprehensive file intelligence
• Variant Discovery — Find related malware variants
• File Upload (Intake) — Submit files for analysis

Object Analysis (6 actions)

• AI Triage Summarize — Get AI-powered threat assessments
• Object Sightings — View where files have been seen
• Object Opinions — Access analyst judgments
• Detonation Trigger — Start dynamic analysis
• Detonation Get — Retrieve analysis results
• Run To Ground Generate — Create impact scoping reports

Network Intelligence (15 actions)

ASN Intelligence

• ASN Get WHOIS — ASN registration data

Hostname Intelligence

• Hostname Get — Hostname metadata
• Hostname Get Resolutions — DNS resolution history
• Hostname Batch Get Resolutions — Bulk DNS lookups

IP Address Intelligence

• IP Address Get — IP metadata and reputation
• IP Cloud Provider Lookup — Identify cloud hosting
• IP Get Hostnames — Reverse DNS history
• IP Get WHOIS — IP registration data

Network Utilities

• Cloud IP Ranges — Get cloud provider CIDR blocks
• Canonicalize Hostname — Normalize domain names
• Batch Canonicalize Hostnames — Bulk domain normalization
• Compute ETLD+1 — Extract root domains
• Batch Compute ETLD+1 — Bulk root domain extraction
• Canonicalize URL — Normalize URLs
• Batch Canonicalize URLs — Bulk URL normalization

Assets & Tags (6 actions)

• List Assets — Enumerate monitored assets
• Get Asset — Retrieve asset details
• Create Asset — Register new assets
• Update Asset — Modify asset metadata
• Add Asset Tags — Apply classification labels
• Remove Asset Tags — Remove labels

YARA Rules (6 actions)

• List YARA Rules — View all custom rules
• Get YARA Rule — Retrieve rule details
• Create YARA Rule — Deploy custom detection logic
• Delete YARA Rule — Remove rules
• Query YARA Matches — Find matching files
• Add YARA Rule Tags — Organize rules

Threat Reports (5 actions)

• Create Threat Report — Document threats
• List Threat Reports — Browse reports
• Get Threat Report — View report details
• List IOCs in Report — Extract indicators
• Delete Threat Report — Remove reports

Integration Framework (1 action)

• Action Dispatcher — Central routing that standardizes requests and responses across all Stairwell API calls

Example Workflows (5 Stories)

Production-ready workflows demonstrating real-world use cases:

1. SOC Alert Enrichment (9 actions) Automatically enrich security alerts with Stairwell intelligence:

• Receives alerts from SIEM/EDR via webhook
• Enriches file hashes with reputation and AI triage
• Updates tickets in Jira/ServiceNow with context
• Posts high-priority findings to Slack

2. Threat Report Impact Assessment (7 actions) Evaluate organizational impact of emerging threats:

• Ingests threat reports from external sources
• Cross-references IOCs against Stairwell data
• Identifies affected assets and prevalence
• Creates impact documentation in Confluence/Jira

3. Automatic Run-to-Ground Scoping (8 actions) Generate comprehensive incident scope automatically:

• Triggers on confirmed malicious file detection
• Generates RTG report showing full blast radius
• Tags all affected assets
• Creates IR tickets and pages on-call if multi-asset spread

4. ActiveDNS Infrastructure Investigation (8 actions) Investigate suspicious domains with DNS intelligence:

• Receives suspicious domain from proxy/DNS logs
• Pulls DNS resolution history via Hostname APIs
• Enriches all resolved IPs with WHOIS and cloud data
• Aggregates infrastructure timeline in Jira

5. Rare Files Hunt (10 actions) Proactive threat hunting for low-prevalence files:

• Runs daily on a scheduled trigger
• Queries sensitive assets for rare files
• AI triage analysis on suspicious findings
• Discovers variants of concerning files
• Creates Jira tickets and emails a daily summary

Migration from the Original Templates

If you're currently using the original six Tines templates, this comprehensive integration provides enhanced versions of the same capabilities.

Migration is optional — your existing templates will continue to work. The new integration can be imported alongside existing workflows.

Frequently Asked Questions

Q: Can I use both the original templates and the new integration? A: Yes, they can coexist. The new integration is a separate story and won't interfere with existing workflows.

Q: What if the Stairwell API changes? A: We update the integration to match API changes.

Q: Do I need all 42 actions? A: No. Add only the actions you need directly from the Tines action template library — there's no need to import the full set.

Q: Can I customize the example workflows? A: Absolutely. The examples are starting points — customize them for your specific SIEM, ticketing system, and notification channels.

Q: What about rate limits? A: All actions include retry logic for HTTP 429 (rate limit) responses. Requests automatically retry with exponential backoff.

---

Original Tines Templates

The original individual templates remain available and supported for users who prefer a more focused approach:

1. Run to Ground (RTG)
2. Get File Hash Reputation
3. Get Dynamic Analysis Report
4. Upload a File
5. Create a Tag for a File
6. Create Job for Dynamic Analysis

Support

• Stairwell Support: [email protected]
• Tines Support: https://www.tines.com/support