Slack v2

Send messages and notifications to your Slack Team. This integration was integrated and tested with version 4.0.1 of Slack, and is available from Cortex XSOAR version 5.0.

Use Cases

  • Mirror Cortex XSOAR investigations War Room to Slack channels and vice-versa.
  • Send notifications, message and files from Cortex XSOAR to Slack.
  • Get notifications in Slack about events in Cortex XSOAR.
  • Manage Cortex XSOAR incidents via direct messages to the Cortex XSOAR bot.
  • Manage Slack channels (create, edit, invite, kick, close).

Detailed Description

  • To allow us access to Slack, the Cortex XSOAR app has to be added to the relevant workspace. Do so by clicking on the following link .
  • After adding the Cortex XSOAR app, you will get an Access Token and Bot Token, which should be inserted in the integration instance configuration's corresponding fields.

Configure SlackV2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SlackV2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Slack API access token : A token received by adding the application (Starts with xoxp).
    • Slack API bot token : A token received by adding the application (Starts with xoxb).
    • Dedicated Slack channel to receive notifications
    • Send notifications about incidents to the dedicated channel
    • Minimum incident severity to send messages to slack by
    • Type of incidents created in Slack
    • Allow external users to create incidents via DM
    • Use system proxy settings
    • Trust any certificate (not secure)
    • Bot display name in Slack (Cortex XSOAR by default)
    • Bot icon in Slack - Image URL (Demisto icon by default)
    • Maximum time to wait for a rate limited call in seconds - 60 by default
    • Number of objects to return in each paginated call - 200 by default
    • Proxy URL to use in Slack API calls
  1. Click Test to validate the new instance.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. mirror-investigation: mirror-investigation
  2. send-notification: send-notification
  3. close-channel: close-channel
  4. slack-send-file: slack-send-file
  5. slack-set-channel-topic: slack-set-channel-topic
  6. slack-create-channel: slack-create-channel
  7. slack-invite-to-channel: slack-invite-to-channel
  8. slack-kick-from-channel: slack-kick-from-channel
  9. slack-rename-channel: slack-rename-channel
  10. slack-get-user-details: slack-get-user-details

1. mirror-investigation

Mirrors the investigation between Slack and the Cortex XSOAR War Room.

Base Command

mirror-investigation

Input
Argument Name Description Required
type The mirroring type. Can be "all", which mirrors everything, "chat", which mirrors only chats (not commands), or "none", which stops all mirroring. Optional
autoclose Whether the channel is auto-closed when an investigation is closed. Can be "true" or "false". Default is "true". Optional
direction The mirroring direction. Can be "FromDemisto", "ToDemisto", or "Both". Default value is "Both". Optional
mirrorTo The channel type. Can be "channel" or "group". The default value is "group". Optional
channelName The name of the channel. The default is "incident- ". Optional
channelTopic The topic of the channel. Optional
kickAdmin Whether to remove the Slack administrator (channel creator) from the mirrored channel. Optional

Context Output
There are no context output for this command.

Command Example

!mirror-investigation type=all autoclose=true direction=Both channelName=my-mirror channelTopic=my-incident

Human Readable Output

Investigation mirrored successfully, channel: my-mirror

2. send-notification

Sends a message to a user, group, or channel.

Base Command

send-notification

Input
Argument Name Description Required
message The message content. Optional
to The user to whom to send the message. Can be either the username or email address. Optional
channel The name of the Slack channel to which to send the message. Optional
entry An entry ID to send as a link. Optional
ignoreAddURL Whether to include a URL to the relevant component in Cortex XSOAR. Can be "true" or "false". Default value is "false". Optional
threadID The ID of the thread to which to reply - can be retrieved from a previous send-notification command. Optional
blocks A JSON string of Slack blocks to send in the message. Optional

Context Output
Path Type Description
Slack.Thread.ID String b'The Slack thread ID.'

Command Example

!send-notification channel=general message="I love Cortex XSOAR"

Context Example
{
    "Slack.Thread": {
        "ID": "1567407432.000500"
    }
}
Human Readable Output

Message sent to Slack successfully. Thread ID is: 1567407432.000500

3. close-channel

Archives a Slack channel.

Base Command

close-channel

Input
Argument Name Description Required
channel The name of the channel to archive. If not provided, the mirrored investigation channel is archived (if the channel exists). Optional

Context Output
There are no context output for this command.

Command Example

!close-channel

Human Readable Output

Channel successfully archived.

4. slack-send-file

Sends a file to a user, channel, or group. If not specified, the file is sent to the mirrored investigation channel (if the channel exists).

Base Command

slack-send-file

Input
Argument Name Description Required
file The ID of the file entry to send. Required
to The user to whom to send the file. Can be the username or the email address. Optional
group The name of the Slack group (private channel) to which to send the file. Optional
channel The name of the Slack channel to which to send the file. Optional
threadID The ID of the thread to which to reply - can be retrieved from a previous send-notification command. Optional
comment A comment to add to the file. Optional

Context Output
There are no context output for this command.

Command Example

!slack-send-file file=1@2 channel=general

Human Readable Output

File sent to Slack successfully.

5. slack-set-channel-topic

Sets the topic for a channel.

Base Command

slack-set-channel-topic

Input
Argument Name Description Required
channel The channel name. If not specified, the topic of the mirrored investigation channel is set (if the channel exists). Optional
topic The topic for the channel. Required

Context Output
There are no context output for this command.

Command Example

!slack-set-channel-topic channel=general topic="Cortex XSOAR rocks"

Human Readable Output

Topic successfully set.

6. slack-create-channel

Creates a channel in Slack.

Base Command

slack-create-channel

Input
Argument Name Description Required
type The channel type. Can be "private" or "public". Optional
name The name of the channel. Required
users A CSV list of user names or email addresses to invite to the channel. For example: "user1, user2...". Optional

Context Output
There are no context output for this command.

Command Example

!slack-create-channel name=my-channel topic=cool-topic type=private users=demisto_integration

Human Readable Output

Successfully created the channel my-channel.

7. slack-invite-to-channel

Invites users to join a channel.

Base Command

slack-invite-to-channel

Input
Argument Name Description Required
users A CSV list of usernames or email addresses to invite to join the channel. For example: "user1, user2...". Required
channel The name of the channel to which to invite the users. If the name of the channel is not specified, the name of the mirrored investigation channel is used (if the channel exists). Optional

Context Output
There are no context output for this command.

Command Example

!slack-invite-to-channel channel=my-channel users=cool-user

Human Readable Output

Successfully invited users to the channel.

8. slack-kick-from-channel

Removes users from the specified channel.

Base Command

slack-kick-from-channel

Input
Argument Name Description Required
users A CSV list of usernames or email addresses to remove from the a channel. For example: "user1, user2..." Required
channel The name of the channel from which to remove the users. If the name of the channel is not specified, the mirrored investigation channel is used (if the channel exists). Optional

Context Output
There are no context output for this command.

Command Example

!slack-kick-from-channel channel=my-channel users=cool-user

Human Readable Output

Successfully kicked users from the channel.

9. slack-rename-channel

Renames a channel in Slack.

Base Command

slack-rename-channel

Input
Argument Name Description Required
name The new name of the channel. Required
channel The current name of the channel. If the name of the channel is not specified, the mirrored investigation channel is used (if the channel exists). Optional

Context Output
There are no context output for this command.

Command Example

!slack-rename-channel channel=my-channel name=your-channel

Human Readable Output

Channel renamed successfully.

10. slack-get-user-details

Get details about a specified user.

Base Command

slack-get-user-details

Input
Argument Name Description Required
user The Slack user (username or email). Required

Context Output
Path Type Description
Slack.User.ID String b'The ID of the user.'
Slack.User.Username String b'The username of the user.'
Slack.User.Name String b'The actual name of the user.'
Slack.User.DisplayName String b'The display name of the user.'
Slack.User.Email String b'The email address of the user.'

Command Example

!slack-get-user-details user="cool_user"

Context Example
{
    "Slack.User": {
        "ID": "UXXXXXXXX",
        "Name": "Cool User",
        "Username": "cool_user",
        "Email": "cool_user@coolorg.com"
    }
}
Human Readable Output

Details for Slack user: cool_user

ID Username Name Email
UXXXXXXXX cool_user Cool User cool_user@coolorg.com

Additional Information

Change the name of the Cortex XSOAR App

You can change the name and icon of the Cortex XSOAR app in direct messages using the integration configuration settings (parameters). In order to change the name of the application itself, do the following:

  • Go to the app in the **Apps** section in Slack
  • In the app, go to **About > Settings**:
  • Scroll down and click the pencil icon to change the name.

Direct messages

You can send direct messages to the Cortex XSOAR app on Slack using the following commands:

list incidents [page x] - lists the current incidents in Cortex XSOAR. Requires user permissions in Cortex XSOAR.

list my incidents [page x] - lists the current incidents assigned to you in Cortex XSOAR. Requires user permissions in Cortex XSOAR.

list my tasks [page x] - lists the current tasks assigned to you in Cortex XSOAR. Requires user permissions in Cortex XSOAR.

list closed incidents - lists the closed incidents in Cortex XSOAR. Requires user permissions in Cortex XSOAR.

new incident [details] - creates a new incident in Cortex XSOAR. Requires user permissions in Cortex XSOAR, or that the `Allow external users to create incidents via DM` parameter is enabled.

mirror [incident-id] - mirrors an incident in Cortex XSOAR to a Slack channel. Requires user permissions in Cortex XSOAR for the specified incident.

Notifications

The integration sends notifications as they are configured in the notification settings (User Preferences in Cortex XSOAR), and to the dedicated channel configured for incident notifications (according to the integration configuration). If a dedicated channel for incident notifications is configured, the following notifications will be sent there:

  • Incident opened
  • Incident updated
  • Investigation closed
  • Investigation deleted
  • Incident SLA changed
  • Task completed

Blocks and interactive components

The integration supports sending "blocks" to Slack. Blocks are a series of components that can be combined to create visually rich and compellingly interactive messages. In the integration, they can be sent as an array of JSON. More information about that here. You can experiment with and build your own blocks here. The integration also allows some level of interactivity. When a user interacts with an element in a Slack message, Slack sends a request with the relevant information. This request is processed and stored by a dedicated endpoint outside of Cortex XSOAR in the address: https://oproxy.demisto.ninja The integration allows polling this endpoint for user interactions that contain entitlement strings, which are used to perform actions in Cortex XSOAR by external users. See the SlackAsk script for an example. This means that in order to enable interactivity using the integration, connection to this endpoint has to be enabled. The following information is sent to the dedicated endpoint in the request:
Headers
  • Current Cortex XSOAR content version
  • Current Cortex XSOAR server version
  • The name of the integration
  • Team name in Slack - for identification
  • Team ID in Slack - for identification
  • Cortex XSOAR license ID - for identification
Body
  • Entitlement - the unique entitlement string to allow interaction with Cortex XSOAR.

Important! The interactions work only with the Cortex XSOAR Integration bot - the only application that's allowed to send requests to the dedicated endpoint(for security reasons). They will not work with another application.

Known Limitations

  • Due to limitations of the `aiohttp` library, only http proxies are supported.
  • Channels are created by the Slack user who authorized the application. Thus, this user will be in every channel that the integration creates. You cannot kick this user, but they can leave.
  • The integration can only manage channels that the application is a member of. Otherwise those channels will not be found.
  • Currently, the integration does not support working without verifying SSL certificates. The parameter applies only to the endpoint for interactive responses.

Troubleshooting

If messages are not mirrored in Cortex XSOAR, or direct messages are not handled properly, check the integration status on the integration page:


If you're having further issues, contact us at support@demisto.com and attach the server logs.