通过代理简化安全调查
Slack’s Security Engineering team is responsible for protecting Slack’s core infrastructure and services. Our security event ingestion pipeline handles billions of events per day from a diverse array of data sources. Reviewing alerts produced by our security detection system is our primary responsibility during on-call shifts.
Slack的安全工程团队负责保护Slack的核心基础设施和服务。我们的安全事件摄取管道每天处理来自各种数据源的数十亿事件。在值班期间,审查我们安全检测系统产生的警报是我们的主要责任。
We’re going to show you how we’re using AI agents to optimize our working efficiency and strengthen Slack’s security defenses. This post is the first in a series that will unpack some of the design choices we’ve made and the many things we’ve learnt along the way.
我们将向您展示我们如何使用AI代理来优化工作效率并加强Slack的安全防御。这篇文章是一个系列的第一篇,将解读我们所做的一些设计选择以及我们在此过程中学到的许多东西。
The Development Process
开发过程
The Prototype
原型
At the end of May 2025 we had a rudimentary prototype of what would grow into our service. Initially, the service was not much more than a 300 word prompt.
到2025年5月底,我们有了一个初步的原型,这个原型将发展成我们的服务。最初,该服务不过是一个300字的提示。
The prompt consisted of five sections:
提示由五个部分组成:
- Orientation: “You are a security analyst that investigates security alerts […]”
- 方向: “您是一名安全分析师,负责调查安全警报 [……]”
- Manifest: “You have access to the following data sources: […]”
- 清单: “您可以访问以下数据源: [……]”
- Methodology: “Your investigation should follow these steps: […] ”
- 方法论: “您的调查应遵循以下步骤: [……] ”
- Formatting: “Produce a markdown report of the investigation: […]”
- 格式化: “生成调查的markdown报告: [……]”
- Classification: “Choose a response classification from: […]”
- 分类: “从以下选项中选择响应分类: [……]”
We implemented a simple “stdio” mode MCP server to safely expose a subset of our data sources through the tool call interface. We repurposed a coding agent CLI as an execution environment for our prototype.
我们实现了一个简单的 “流”模式MCP服务器,以安全地通过工具调用接口暴露我们数据源的一个子集。我们将编码代理CLI重新用于我们的原型的执行环境。
The performance of our prototype implementation was highly variable: sometimes it would produce excellent, insightful results with an impressive ability to cross-reference evidence across different data sources. Howev...