Guides
Start typing to search…

Tines Cases Destination Setup

Create cases in Tines for detection alerts with automated case management.

Tines Cases Destination Setup

Create cases in Tines for detection alerts with automated case management.

Prerequisites

  • Tines account with Cases access
  • Tines API key with case creation permissions
  • Team ID where cases will be created

Setup Steps

1. Get Tines API Key

  1. Log into your Tines tenant
  2. Navigate to SettingsAPI Keys
  3. Click Create API Key
  4. Enter name (e.g., "Query.ai Security Detections")
  5. Copy the API key (starts with tines_)

2. Get Team ID

  1. Navigate to the team where you want cases created
  2. Check the URL: https://your-tenant.tines.com/team/<team_id>/cases
  3. Note the team_id number

3. Configure in Query.ai

Contact your Query.ai administrator to configure the Tines Cases destination with:

Required Configuration:

  • Tenant domain (e.g., your-tenant.tines.com)
  • API key (stored securely)
  • Team ID

Optional Configuration:

  • Author email
  • Assignee emails (list)
  • Timeout in seconds (default: 30)

Case Details

Case Name

Format: [SEVERITY] Detection Name

Example: [HIGH] Suspicious Login Attempts

Priority Mapping

Detection severity maps to Tines case priority:

Detection SeverityTines Priority
CRITICALcritical
HIGHhigh
MEDIUMmedium
LOWlow

Case Description

The case description is formatted in Markdown and includes:

Detection Information:

  • Detection name, severity, outcome, match count
  • Run type (SCHEDULED or MANUAL)

Threshold Configuration:

  • Operator, threshold value, eagerness

Execution Metadata (if available):

  • Exhaustiveness (COMPLETED or STOPPED_EARLY)
  • Search ID and Trace ID for debugging

Timestamps:

  • When detection ran
  • Query time range

Errors (if any):

  • Up to 5 error messages

Link:

  • Clickable link to replay query in Query.ai

Case Metadata

Cases include metadata for filtering:

  • detection_id - Detection configuration ID
  • run_id - Unique execution run ID
  • severity - Detection severity
  • outcome - Detection outcome

Case Tags

Automatically tagged with:

  • security-detection
  • Severity level (e.g., high, critical)

Case Status

All cases created with:

  • Status: open
  • Priority: Based on severity mapping

Testing

Test API key with curl:

curl -X POST \
  "https://your-tenant.tines.com/api/v2/cases/" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer tines_your_api_key_here" \
  -d '{
    "team_id": "123",
    "name": "Test Detection Case",
    "description": "This is a test case from Query.ai",
    "priority": "high",
    "status": "open",
    "tag_names": ["security-detection", "test"]
  }'

Expected Response: JSON object with case_id and url

Working with Cases in Tines

Automation Triggers

Create stories triggered on case creation:

  1. Create story with Case Trigger
  2. Filter by tags: security-detection
  3. Add actions based on priority
{
  "type": "trigger",
  "trigger_on": "case_created",
  "filters": {
    "tags": ["security-detection"]
  }
}

Example: High Priority Alert

{
  "url": "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK",
  "method": "post",
  "content_type": "application/json",
  "payload": {
    "text": "🚨 High Priority Security Case Created",
    "blocks": [
      {
        "type": "section",
        "text": {
          "type": "mrkdwn",
          "text": "*Case:* <<case.name>>\n*Priority:* <<case.priority>>\n*URL:* <<case.url>>"
        }
      }
    ]
  },
  "if": "<<case.priority>> == 'high' OR <<case.priority>> == 'critical'"
}

Access Case Data

In Tines stories, access case data using:

<<case.name>>
<<case.priority>>
<<case.description>>
<<case.metadata.detection_id>>
<<case.metadata.severity>>
<<case.url>>

Troubleshooting

ErrorSolution
401 UnauthorizedVerify API key is correct and has case creation permissions
404 Not FoundCheck tenant domain and team ID are correct
400 Bad RequestVerify team_id exists and user has access
Cases not appearingCheck team ID, verify API key permissions

Configuration Options

Required

tenant_domain

  • Tines tenant domain
  • Format: your-tenant.tines.com (without https://)

api_key (secret)

  • Tines API key for authentication
  • Starts with tines_
  • Stored securely in AWS Secrets Manager

team_id

  • Team ID where cases will be created
  • Format: Integer

Optional

author_email

  • Email of the user creating the case
  • Must be valid Tines user email

assignee_emails

  • List of user email addresses to assign to case
  • Must be valid Tines user emails
  • Format: Array of strings

timeout

  • Request timeout in seconds
  • Default: 30
  • Maximum: 300 (5 minutes)

Security Best Practices

  1. Never Commit API Keys: Always store in Secrets Manager
  2. Use Service Accounts: Use dedicated API keys for automation
  3. Rotate Keys: Rotate API keys every 90 days
  4. Least Privilege: Limit API key permissions to case creation only
  5. Monitor Usage: Review case creation logs for anomalies

Resources

Updated 2 days ago