EDgaR 2.0

Automate Continuous Monitoring for EDR Compliance in CrowdStrike with Tines

In a previous blog, I wrote about using Tines to check for Endpoint Detection & Response (EDR) compliance and asset discovery.

To my surprise, the Tines story won the grand prize for YDWWT Spring 2025 contest.

I appreciate the recognition by Tines.

Tines as a Tool for Collaboration

Through the creation of the EDgaR utility workflows, the most important lesson in solving cybersecurity challenges is collaboration.

While building the EDgaR utility with my colleagues from different infosec teams, we engaged in a freeflow of ideas. From those ideas, I was able to implement workflows in a short time using the Tines no code automation platform.

After creating EDgaR 1.0, I realized how Tines, as an automation platform, brought together different teams to solve the challenge of EDR compliance.

Tines became a tool of collaboration, especially with its short development cycles using no code features such as the Automatic Mode for Event Transformation.

This free flow of ideas and quick development cycles were exciting!

The Birth of EDgaR 2.0

After EDgaR 1.0, my colleague saw the possibilities with Tines. She suggested, “Instead of uploading csv files to a webform, how about we continously monitor CrowdStrike for EDR compliance?”

Awesome, what a great idea!

In a short time, EDgar 2.0 came to fruition.

There are two scheduled workflows that query the CrowdStrike Host API endpoint.

In the first workflow, a Tines HTTP Action retrieves the initial host inventory, which is written to a Tines Resource.

The second workflow loads the intial server inventory and checks CrowdStrike to ensure the hosts are present in the console.

Any missing hosts are written to another Tines Resource or a Tines Record.

The workflow generates a report to departmental stakeholders with the initial host inventory along with any missing hosts.

Feel free to download the workflows from the tines folder.

Swap out CrowdStrike for your EDR or backend solution that you would like to monitor continuously.

Once you start automating, you cannot stop!

Happy Building and Collaborating!

Tom

Tines Technical Documentation

• FREE Tines Community Edition
• Tines Resources
• Tines Cases & Records
• Tines Documentation
• Tines Tutorials
• Tines Customer Center
• Tines OBJECT Function
• Tines IS PRESENT Function
• Tines OBJECTS TO CSV Function
• Tines BASE64 ENCODE Function
• Tines Story Library - EDgaR