Exporting Events to Tines

Tines is a no-code automation platform oriented towards security operations teams. The basic building block of a workflow (aka Story) in Tines is called an Action. Integration with Antimatter Security Lakehouse is straightforward through the use of the Webhook Action.

To integrate, create a Webhook Action as the event source for your Story. The default settings are suitable, but it's only necessary to allow the post verb. If you will be processing notables and operational alerts, you may wish to create two separate Webhook Actions to apply distinct workflows to each event type. Make a note of the Webhook URL field in the settings panel for the Webhook Action, as this will be needed to configure the Security Lakehouse.

The event details are posted to the webhook endpoint as the request body and can be accessed within a downstream action using a Formula.

Export Configuration

The export configuration will be stored on the DASL backend and exposed to other users of the Security Lakehouse. If you wish to protect the Tines Webhook URL, create a Databricks secret containing the value.

To export Notables or Operational Alerts to your Tines Webhook endpoint, navigate to the DASL interface. From the sidebar, expand the "Configure" menu and click "Workspace". Near the bottom of the page is a section entitled "Notable & operational alert export configuration".

For the desired export type, select "Webhook" as the destination. If you wish to use the URL directly, select "Webhook URL" as the webhook target and enter the URL in the "Output URL" text box. If you have stored the URL in a Databricks secret, select "URL from Secret" as the webhook target, and enter the secret key and scope in the corresponding text boxes. Click "Submit changes" at the bottom of the section to save your changes.