Security Automation Evolved: From SlackOps to Programmatic SIEM Triage (Part 1/2)

Sourcegraph's security team has evolved its alert management from a Slack-based triage bot called SecBot to a more sophisticated system that leverages programmatic Security Information and Event Management (SIEM) detection with expression-based auto-close rules. Initially implemented in 2022 to address limitations of the Elastic Security platform, SecBot enriched alerts by calling APIs and using pattern matching for triage, allowing for mobile alert management. As the system matured, the team integrated enrichments from various sources, including Google Cloud Platform (GCP) and threat intelligence databases, to provide context and automate alert closure. By 2024, the team had fully migrated their rules to SIEM, enabling SecBot to template alerts and add necessary enrichments, such as resolving service account names and using metadata from GCP to automatically close alerts under specific conditions. This automation is facilitated by the use of expr-lang, a Go expression evaluation library, which allows for complex expressions to determine if alerts should be closed based on criteria like user on-call status and project details. The enhancements have streamlined alert management, with SecBot providing real-time updates in Slack and reducing the manual effort involved in security triage.