【Hacker News搬运】显示HN:Tracecat–开源安全警报自动化/SOAR替代方案

hackernews

Title: Show HN: Tracecat – Open-source security alert automation / SOAR alternative

显示HN:Tracecat–开源安全警报自动化/SOAR替代方案

Text: Hi HN, we are building Tracecat (<a href="https://tracecat.com/">https://tracecat.com/</a>), an open source automation platform for security alerts. Tracecat automates the tasks a security analyst has to do when responding to a security alert: e.g. contact victims, investigate security logs, report vulnerability.<p>The average security analyst deals with 100 alerts per day. As soon as an alert comes in, you have to investigate and respond. An average alert takes ~30 minutes to analyze (and 100 x 30 min = 50 hours > one whole day) Lots of things get dropped, and this creates vulnerabilities. Many breaches can be traced back to week old alerts that didn’t get properly investigated.<p>Since the risks and costs are so high, top security teams currently pay Splunk SOAR $100,000/year to help automate alert processing. It’s a click-and-drag workflow builder with webhooks, REST API integrations, and JSON processors. A security engineer would use it to build alert automations that look like this: (1) webhook to receive alert (e.g. unusual powershell cmd) from Microsoft Defender; (2) send yes/no Slackbot to ask employee about the alert; (3) if confirmed as suspicious, send malware sample to VirusTotal for report (4) collect evidence from previous steps and dump it into a ticket.<p>If $100k a year seems wildly expensive for a Zapier-like platform, you’d be half right. Splunk SOAR is actually a Zapier + log search + Jira ticketing system.<p>Log storage—that’s how Splunk turns a $99/month workflow automation tool into a pricey enterprise product. Every piece of evidence collected (e.g. Slackbot response, malware report, GeoIP enrichment) and every past workflow trail has to be searchable by a human incident responder or auditor. Security teams need to know why every alert escalated to a SEV1 or not.<p>My cofounder and I are data engineers who fell into this space. We heard our security friends constantly complain about being priced out of a SOAR (security orchestration, automation, and response platform) like Splunk SOAR.<p>We both wrote a lot of event-driven code at school (Master’s thesis) and work (Meta / PwC). We’re also early adopters of Quickwit / Tantivy, an OSS alternative to Elasticsearch / Apache Lucene that is cheaper and faster. It didn’t seem that difficult to build a cheaper open source SOAR, so we decided to do it.<p>Tracecat is also different as it can run in a single VM / laptop. Splunk SOAR and Tines are built for Fortune 10 needs, which means expensive Kubernetes clusters. Most security teams don’t need that scale, but are forced to pay the K8s “premium” (high complexity, hard to maintain). Tracecat uses OSS embedded databases (SQLite) and an event processing engine we built using Python 3.12 asyncio.<p>So far, we’ve just got a bare-bones alpha but you can already do quite a few things with it. e.g. trigger event-driven workflows from webhooks; use REST API integrations; parse responses using JSONPath; control flow using conditional blocks; store logs cheaply in Tantivy; open cases directly from workflows; prioritize and manage cases in a Jira-like table.<p>Tracecat uses Pydantic V2 for fast input / output validation and Zod for fast form validation. We care a lot about data quality! It’s also Apache-2.0 licensed so anyone can self-host the platform.<p>On our roadmap: integrations with popular security tools (Crowdstrike, Microsoft defender); pre-built workflows (e.g. investigating phishing email); better docs; more AI features like auto-labeling tickets, extracting data from unstructured text etc.<p>We’re still early so would love your feedback and opinions. Feel free to try us out or share it with your security friends. We have a cloud version up and running: <a href="https://platform.tracecat.com">https://platform.tracecat.com</a>.<p>Dear HN readers, we’d love to hear your incident response stories and the software you use (or not) to automate the work. Stories from security, site reliability engineering, or even physical systems like critical infrastructure monitoring are all very welcome!

嗨，HN，我们正在构建Tracecat（<a href=“https://；&#x2F；Tracecat.com&#x2F”>https://；#xx2F；Tracecat.com&#x20F；</a>），一个用于安全警报的开源自动化平台。Tracecat自动化了安全分析师在响应安全警报时必须执行的任务：例如，联系受害者、调查安全日志、报告漏洞<p> 平均每个安全分析师每天处理100个警报。一旦收到警报，你就必须进行调查并作出回应。一个警报平均需要大约30分钟的时间来分析（100 x 30分钟=50小时&gt；一整天）很多东西都被丢弃了，这就造成了漏洞。许多违规行为可以追溯到一周前没有得到适当调查的警报<p> 由于风险和成本如此之高，顶级安全团队目前向Splunk SOAR支付100000℉；以帮助自动化警报处理。它是一个点击并拖动的工作流构建器，包含webhook、REST API集成和JSON处理器。安全工程师会使用它来构建警报自动化，如下所示：（1）webhook从Microsoft Defender接收警报（例如异常的powershell cmd）；（2） 发送yes&#x2F；没有Slackbot向员工询问警报；（3） 如果确认为可疑，则将恶意软件样本发送到VirusTotal进行报告（4）从以前的步骤中收集证据并将其转储到票证中<p> 如果对于一个类似Zapier的平台来说，每年10万美元似乎非常昂贵，那么你说得对一半。Splunk SOAR实际上是一个Zapier+日志搜索+Jira票务系统<p> 日志存储--这就是Splunk如何将$99；一个月的工作流自动化工具变成了一个昂贵的企业产品。收集到的每一条证据（例如Slackbot响应、恶意软件报告、GeoIP富集）和过去的每一个工作流跟踪都必须由人工事件响应者或审计员进行搜索。安全团队需要知道为什么每个警报都升级为SEV1<p> 我和我的联合创始人都是进入这一领域的数据工程师。我们听到我们的安全朋友不断抱怨像Splunk SOAR这样的SOAR（安全协调、自动化和响应平台）定价过高<p> 我们都在学校（硕士论文）和工作（Meta≠PwC）写了很多事件驱动的代码。我们也是Quickwit&#x2F；Tantivy，弹性搜索的OSS替代方案；Apache Lucene更便宜、更快。构建一个更便宜的开源SOAR似乎并不困难，所以我们决定这样做；笔记本电脑Splunk SOAR和Tines是为《财富》10强的需求而构建的，这意味着昂贵的Kubernetes集群。大多数安全团队不需要这种规模，但被迫支付K8s的“溢价”（高复杂性，难以维护）。Tracecat使用OSS嵌入式数据库（SQLite）和我们使用Python 3.12 asyncio构建的事件处理引擎<p> 到目前为止，我们只得到了一个基本的alpha，但你已经可以用它做很多事情了。例如，从webhook触发事件驱动的工作流；使用REST API集成；使用JSONPath解析响应；使用条件块的控制流；在坦提维省廉价储存原木；直接从工作流程打开案例；在类似Jira的表格中对案例进行优先级排序和管理<p> Tracecat使用Pydantic V2进行快速输入；输出验证和用于快速表单验证的Zod。我们非常关心数据质量！它还获得了Apache-2.0的许可，因此任何人都可以自行托管该平台<p> 在我们的路线图上：与流行的安全工具（Crowdstrike，Microsoft defender）的集成；预先构建的工作流程（例如调查钓鱼电子邮件）；更好的文档；更多的人工智能功能，如自动标记票证、从非结构化文本中提取数据等。<p>我们还为时过早，因此希望您能提供反馈和意见。请随时试用我们或与您的安全好友分享。我们有一个正在运行的云版本：<a href=“https://；&#x2F；platform.tracecat.com”>https://&#x2F；platform.tracecat.com</a><p> 亲爱的HN读者，我们很想听听您的事件响应故事，以及您使用（或不使用）自动化工作的软件。非常欢迎来自安全、现场可靠性工程，甚至关键基础设施监控等物理系统的故事！

hn link

Url: https://github.com/TracecatHQ/tracecat

很抱歉，尝试使用 webscraper 工具抓取指定 URL 时遇到了连接超时的问题。由于无法连接到 GitHub 网站，我无法直接分析并总结抓取的内容。如果您有其他请求或需要帮助，请告诉我。

Post by: neochris

Comments:

rosslazer: I don't know why so many people here are shitting on you guys. It is an impressive demo and launch and a wide-open market. I'm rooting for you, guys. There's an easy opening even just after the "inbox" for the security alert use case.

rosslazer: 我不；我不知道为什么这里有那么多人在对你们撒尿。这是一个令人印象深刻的演示和发布以及一个广泛的开放市场。I-；我支持你们，伙计们。有；这是一个很容易打开的，即使是在“打开”之后；收件箱”；用于安全警报用例。

dogman144: You’re not measuring against
Splunk, you should be measuring against Tines. And tines is def broader than fortune 10, they sell the heck out to startups, so I think you’ve got your market wrong. Expensive boogeyman Splunk is replaced by a lot of solid vendors now that aren’t $100k+.<p>This flow isn’t really accurate either “ A security engineer would use it to build alert automations that look like this…”<p>Also, you’re competing against the difficult rep of other open source sec tools, namely Elastisearch. It’s not used much for a reason.<p>**But my very very top of mind, and what you’ll get asked by any sec team worth its salt, is what is your own security program, team of 2 data engineers?<p>Literally, do you have anyone hired to do it? Who? Why should I ship you any of my data, let you tag it, and plug into my sec platforms, when I assume it’s basically nonexistent. Your environment becomes my env if I do, and we all know startup security posture bc we’ve worked on that side of the coin in the past. So don’t sell us nonsense around what audits you’ve passed. Open Source adds an interesting margin of safety here, but you’re a YC company with plans to make revenue, so the exposure is there somewhere.<p>SaaS vendors are a massive supply chain vector right into a company, happens all the time and is growing, and the teams trying to sell me security tools with a 0.0% security program themselves are humorously many.

dogman144: 你不是在衡量斯普伦克，你应该对照Tines来测量。而tines的定义比财富10更广泛，它们向初创公司推销，所以我认为你的市场错了。昂贵的怪物斯普伦克现在被许多不到10万美元的可靠供应商所取代<p> 这个流程也不太准确“安全工程师会用它来构建看起来像这样的警报自动化…”<p>此外，你正在与其他开源sec工具（即Elastisearch）的艰难代表竞争。它使用不多是有原因的<p> **但我最重要的是，任何值得一试的sec团队都会问你，你自己的安全计划是什么，由两名数据工程师组成的团队<p> 从字面上讲，你有人雇来做这件事吗？谁为什么我要把我的任何数据发给你，让你标记它，并插入我的sec平台，而我认为它基本上不存在。如果我这样做了，你的环境就成了我的环境，我们都知道创业安全态势，因为我们过去曾在这方面工作过。所以，不要向我们兜售你通过了哪些审计。开源在这里增加了一个有趣的安全边际，但你是一家YC公司，有创收计划，所以风险就在某个地方<p> SaaS供应商是一个巨大的供应链载体，直接进入一家公司，这种情况一直在发生，而且还在不断发展，而试图向我出售0.0%安全程序的安全工具的团队非常多。

toomuchtodo: Please put a stake in the heart of Palo Alto's XSOAR SOAR. Wishing you much success.<p>Edit: Keep in mind, the folks who operate this are typically not engineers. They are security analysts and other non dev infosec/cybersec stakeholders. Refer to how Palo Alot XSOAR uses drag and drop playbooks [1] (somewhat like n8n's workflow builder [2], a Zapier competitor). I recommend building a library of default playbooks that customer SOCs and other detection response consumers of your product can adopt (based on customer product feedback and conversations), like you adapt your business to SAP vs customizing SAP to your business.<p>[1] <a href="https://xsoar.pan.dev/docs/playbooks/playbooks-overview" rel="nofollow">https://xsoar.pan.dev/docs/playbooks/playbooks-overview</a><p>[2] <a href="https://docs.n8n.io/courses/level-one/chapter-4/" rel="nofollow">https://docs.n8n.io/courses/level-one/chapter-4/</a><p>(head of infosec in finance, xsoar comes out of my spend)

toomuchtodo: 请在Palo Alto-；s XSOAR SOAR。祝你成功<p> 编辑：请记住，操作这个的人通常不是工程师。他们是安全分析师和其他非开发人员infosec#x2122；赛博安全利益相关者。请参阅Palo Alot XSOAR如何使用拖放操作手册[1]（有点像Zapier的竞争对手n8n-7的工作流构建器[2]）。我建议建立一个默认剧本库，客户SOC和您产品的其他检测响应消费者可以采用（基于客户产品反馈和对话），就像您将业务适应SAP与根据业务定制SAP一样<p> [1]<a href=“https://；&#x2F；xsoar.pan.dev&#x2F！docs&#x2F，playbooks&#x2F；playbooks overview”rel=“nofollow”>https://&#x2F；xsoar.pan.dev；docs&#x2F；剧本；剧本概述</a><p>[2]<a href=“https:&#x2F；&#x2F！docs.n8n.io&#x20F；课程&#x2F，一级&#x2F：第4&#x2F章”rel=“nofollow”>https://&#x2F；docs.n8n.io；课程；一级；第4章</a> <p>（infosec金融主管，xsoar出自我之手）

badrabbit: Kudos on the effort for sure. Your biggest challenge is having good integrations for literally everything. Second big challenge: companies that will use open source are a rarity.<p>I can't express how much stuff is my bread and butter. No one wants to write scripts, that's the whole point of a soar in the minds of people using this. Really, the support is most of the cost not the product itself. Just have splunk create an app or whatever integration. Then your playbooks have to be easy to manage which I am sure you can figure out.<p>But then you have to implement case management too, no one wants a separate case management tool. These days, even the SIEM is expected to be just another tab/feature in the soar.<p>I hope you don't expect security teams to self-host either. It's a major PITA.<p>I like opensource, but not having support first and foremost is a huge redflag for me since I have been burned badly by foss projects. If you have a fully managed and supported commercial version of the product, that's be great.<p>Edit: oh and the "ai" stuff only impresses management types, great if that's your audience but at least in my experience, you better be ready to answer questions around that and expect mild hostility because of how gimmicky it is (just my $0.2)

badrabbit: 这肯定值得称赞。您最大的挑战是对所有内容进行良好的集成。第二大挑战：将使用开源的公司是罕见的<p> 我可以；我无法表达我的面包和黄油有多少东西。没有人想写脚本；It’这就是使用它的人头脑中飙升的全部意义。实际上，支持是大部分成本，而不是产品本身。只要花点钱创建一个应用程序或任何集成。那么你的剧本必须易于管理，我相信你能弄清楚<p> 但你也必须实施案例管理，没有人想要单独的案例管理工具。如今，甚至SIEM也被认为只是另一个标签；翱翔中的特色<p> 我希望你不要；也不希望安全团队自行主持。它；这是一个主要的医院<p> 我喜欢开源，但首先没有支持对我来说是一个巨大的危险信号，因为我已经被foss项目严重烧伤了。如果你有一个完全管理和支持的商业版本的产品；We’太棒了<p> 编辑：哦和&quot；ai”；这些东西只会给管理层留下深刻印象，如果是这样的话，那就太好了；这是你的观众，但至少根据我的经验，你最好准备好回答有关这方面的问题，并期待轻微的敌意，因为这是多么的噱头（只有我的0.2美元）

tomashertus: These are exciting times in the cybersecurity industry with the recent growth of open-source security tools (osquery, Fleet, Wazuh, etc.). Anyway, I'm skeptical about the detection efficacies, usefulness, and scalability of those products. I do not see them widely adopted either. These are my observations from your pitch:<p>Your pitch mentions large costs for traditional SOAR products and that you want your solution to be focused on smaller companies that don't have money to pay for expensive SOC tools. Nevertheless, the market reality is that if a company has a SOC team (who is the traditional end-user of SOAR tool), they don't care about $100k for a SOAR because they will spend hundreds of thousands a month for log storage, security tools, and HR. It's much more common for your target audience to use ITSM as a security incidents management tool. Just look at what ServiceNow is doing in this space for example: <a href="https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/security-operations/concept/security-operations-intro.html" rel="nofollow">https://docs.servicenow.com/bundle/washingtondc-security-man...</a>. Based on this one fact, I think that you didn't spend enough time understanding your target customer who are in this case not SOC/Security teams, but IT teams.<p>Incident management is a critical process for every SOC team and its effectiveness is tracked by measuring the mean-time-to-resolve metric. How do you want to convince SOC teams to use open-source tools for their mission-critical process rather than buying one of the established SOAR tools that are integrated with their security stack? (& there are many options in the SOAR space) How can your product help companies lower the operational costs of case management? (improving the mean-time-to-resolve KPI)<p>Please, don't get discouraged by my comments. SOAR is an essential part of every security stack and the current offerings have flaws. But the narrative in your pitch is flawed and indicates a lack of understanding of current security buyers and personas.

tomashertus: 随着开源安全工具（osquery、Fleet、Wazuh等）的发展，这是网络安全行业令人兴奋的时刻。无论如何，我；我对这些产品的检测效率、实用性和可扩展性持怀疑态度。我也没有看到它们被广泛采用。这些是我从您的演讲中观察到的：＜p＞您的演讲提到了传统SOAR产品的巨大成本，并且您希望您的解决方案专注于那些没有；我没有钱买昂贵的SOC工具。然而，市场现实是，如果一家公司有一个SOC团队（他们是SOAR工具的传统终端用户）；我不在乎SOAR的10万美元，因为他们每月将花费数十万美元用于日志存储、安全工具和人力资源；对于您的目标受众来说，将ITSM用作安全事件管理工具要常见得多。看看ServiceNow在这个领域做了什么，例如：<a href=“https://；&#x2F；docs.ServiceNow.com&#x20F；bundle&#x2F！washingtondc-security-management&#x2F：页面&#x20F：产品&#x2F，安全操作&#x2F概念&#x2F安全操作intro.html”rel=“nofollow”>https://&#x2F；docs.servicenow.com&#x2F；束；华盛顿和c安保人员…</a>。基于这一事实，我认为你没有；不要花足够的时间了解你的目标客户，在这种情况下，他们不是SOC；安全团队，但IT团队<p> 事件管理是每个SOC团队的一个关键过程，其有效性通过测量平均解决时间来跟踪。你想如何说服SOC团队在他们的任务关键流程中使用开源工具，而不是购买与他们的安全堆栈集成的既定SOAR工具？（SOAR领域有很多选择）您的产品如何帮助公司降低案例管理的运营成本？（提高解决KPI的平均时间）<p>请不要；Don’我的评论使我气馁。SOAR是每个安全堆栈的重要组成部分，当前的产品也有缺陷。但你演讲中的叙述是有缺陷的，表明你对当前的安全买家和人物角色缺乏了解。