Automated Building of Tines Stories Using Claude Code
If you work in security operations long enough, you develop a particular relationship with your automation platform. You know every quirk, every gotcha, every time you've spent 45 minutes debugging a webhook payload that turned out to have a trailing newline. Tines is exceptional at what it does but like any platform, it still requires context-switching, API familiarity and a lot of time staring at story JSON.
I wanted to change that. So I built tines_Builder: a Claude Code integration that lets you build, review, and manage Tines automations using natural language directly from your terminal.
The Problem Worth Solving
Security engineers are not API documentation readers. We're threat responders, detection engineers and automation architects. But when you want to audit your Tines tenant, find unused credentials, identify misconfigured stories or review whether a story follows best practices, you're suddenly a DevOps engineer making curl requests against an API.
The cognitive load is real. You're context-switching from threat hunting to API reference docs to Python scripts, all just to answer the question: "Is this story doing what it's supposed to?"
Claude Code already knows how to reason about code, workflows, and logic. Tines stories are just structured JSON. This felt like a natural fit.
Why Not Just Use Story Copilot?
Tines launched Story Copilot as a native AI assistant built directly into the storyboard. It's genuinely useful. You can ask it to explain a story, troubleshoot why something isn't firing or generate a new workflow from a description. For straightforward build tasks it works well.
But it has a ceiling.
Story Copilot is a build tool. You describe what you want, it builds it. What I needed was something closer to a planning partner with the ability to discuss the logic of a story before writing a single action, explore trade-offs, and iterate on the design conversationally.
More importantly: real SOC work doesn't happen in the abstract. A detection fires. A webhook delivers a payload you didn't expect. An API returns a field structure that breaks your enrichment logic. With Claude Code, I can drop a link to the Tines event directly into the conversation and it pulls the full event automatically. From there I just say "based on this, update the story to handle this case" and it does. The changes are grounded in what actually happened not a hypothetical description of what might happen.
That feedback loop, real event in and story update out is the core of how I iterate on automations now. Story Copilot doesn't have it.
What tines_Builder Does
At its core, tines_Builder gives Claude Code full read and controlled write access to your Tines tenant. It exposes a set of slash commands and a natural language interface for the most common SOC automation workflows.
The Slash Commands
/tines-build <description>
Describe what you want in plain English and get story JSON back. Instead of dragging actions onto a canvas and wiring them together, you describe the workflow:
"Build me a story that receives a PagerDuty webhook, enriches the alert IP with VirusTotal, and if the score is above 50, creates a Jira ticket and posts to the #sec-alerts Slack channel."
Claude reasons about the Tines action schema, constructs the story JSON, and you import it. First draft in under a minute.
/tines-review <story_id>
Quality assessment against best practices. This is where I've personally found the most value. Every team has that one story that's been running for 18 months and nobody wants to touch. /tines-review pulls the story, reads every action, and gives you a structured critique:
- Are credentials hardcoded or using proper Tines credential references?
- Are there error handling paths or does this story silently fail?
- Is there dead code, actions that are wired up but never triggered?
- Does the logic match what the story name says it does?
It's like having a code review for your automation.
/tines-audit
Tenant-wide hygiene. This command scans your entire Tines environment for: - Credentials that aren't referenced by any active story - Resources that are duplicated or stale - Stories with no recent activity that are still consuming tenant capacity - Misconfigured stories with obvious logic gaps
This is the one I run before any quarterly security review. It surfaces the kind of drift that creeps into any automation platform over time.
/tines-session
Session management for continuity. When you're working across a complex migration or a multi-story build, Claude maintains context in sessions/current/. You can archive, restore, or review what was done in a previous session, which is useful when you pick up mid-task after a meeting interruption.
The Safety Model
This part matters. Automation tools that touch production environments need clear guardrails.
tines_Builder enforces a hard split between read and write operations at the script level.
Read operations (list_stories.py, get_story.py, export_story.py, list_actions.py, list_credentials.py, list_resources.py) run without confirmation. They're safe and informational.
Write operations (import_story.py, create_resource.py, update_resource.py, delete_resource.py) require explicit confirmation before execution. Claude will describe what it's about to do and ask you to confirm before anything is pushed to your tenant.
This is intentional. In a production SOC environment, an automation tool that modifies your incident response workflows without a confirmation step is a liability. The UX friction is worth it.
Setup
You need a Tines tenant with API access, Python 3, and Claude Code installed.
git clone https://github.com/sidops/tines_Builder
cd tines_Builder
pip install -r requirements.txt
Configure your .env:
TINES_TENANT_DOMAIN=your-tenant.tines.com
TINES_API_KEY=your-api-key
TINES_TEAM_NAME=your-team-name
Then open the project in Claude Code and start talking.
> List all active stories in my tenant
> Export story 42 and review it for security issues
> Build me a story that monitors for new Okta admin assignments and alerts to Slack
No command syntax to memorise. Just describe what you want to accomplish.
How I Actually Use This
In practice, I use three workflows repeatedly.
Pre-deployment review: Before a new story goes live, I run /tines-review against the story ID. It's caught credential references that should have used Tines secrets, missing error paths on external API calls, and cases where a story was writing sensitive data to a resource readable by the whole team.
Quarterly tenant audits: /tines-audit before any compliance review. Tines tenants accumulate drift: stories built for an incident response last year, credentials for integrations that were deprecated, resources that nobody can trace back to a current use case. The audit surfaces all of it.
Event-driven iteration: When a story misbehaves in production, I drop the Tines event link into Claude Code and it pulls the full event automatically. From there I describe what went wrong and ask it to fix the story. The conversation is grounded in real data, not a description of the problem. This is faster and more accurate than trying to reproduce the failure in a test environment.
The Broader Point
Security teams are under-resourced almost universally. The automation platforms we use are powerful but they have a learning curve and demand consistent investment to use well. Most teams have a handful of people who actually understand the platform deeply and a long backlog of automation work that never gets done.
AI-assisted tooling like tines_Builder doesn't replace that expertise. It multiplies it. The experienced engineer still designs the workflow logic and reviews the output, but the gap between "I know what I want to build" and "it's running in production" gets dramatically smaller.
That's the value. Not magic, just leverage.
The project is open source at github.com/sidops/tines_Builder. If you're running a Tines environment and want to try it, contributions and feedback are welcome.
