topic Re: Creating a Queue on Slack Integration in Cortex XSOAR Discussions

Creating a Queue on Slack Integration

michaelsysec242 — Thu, 24 Aug 2023 14:44:29 GMT

Hello all,

I am working with Slack from the playbook level where a message summarizing an incident is sent followed by Slackask automation to ask users on a channel to confirm the information with two interactive buttons. Take note that the flow has two different messages, the first is the summary using Slacknotification and the second task is slackask. I have realised that due to the fact that I am running this flow on a few different Incident Types I am receiving the messages not in order. In simpler terms the main message is accumulating and all the slacknotifications are being added in a bulk afterwards. I am aware that the the slackask takes a few seconds longer to be generated on the channel. I have two questions regarding this topic:

Can the instance be configured to have a queue in order to ensure the correct message order ?
Can a slackask task be sent with all the relevant information and once clicked, the original message (Incident Summary) remains ?

I understand this is a bit of a complicated process. I can show my flow regarding this topic and further information if it helps.

Thanks All

Re: Creating a Queue on Slack Integration

jfernandes1 — Fri, 25 Aug 2023 02:53:35 GMT

Hi @michaelsysec242, I don't think there is a method to do this via XSOAR. Notification and responses will get jumbled with multiple active incidents. For the ask response part at least you might be able to use the Demisto lock integration. It will work similar to queuing.

You can create the lock name using the username(Slack User) and Channel(Slack Channel). When a different incident tries to contact the same user via Slack, it will have to wait for the lock to be released or expire. The user is then engaged for 1 incident at a time.

Re: Creating a Queue on Slack Integration

michaelsysec242 — Mon, 28 Aug 2023 10:54:47 GMT

Thanks @jfernandes1 for the advice I will implement it and test for results.

Re: Creating a Queue on Slack Integration

KHassan — Thu, 18 Apr 2024 14:38:29 GMT

@michaelsysec242 were you able to find the solution?

We have a requirement to create an incident by taking the slack user responses? Can you help with this?

Re: Creating a Queue on Slack Integration

jfernandes1 — Wed, 24 Apr 2024 03:08:51 GMT

Hi @KHassan, you should ask this questions in a new conversation. But the short answer is yes, once you have Slack configured correctly, meaning that the a user can send messages to the bot. You can run the command "new incident name=test type=Unclassified" from the XSOAR Slack channel. This should create an incident in XSOAR, once the base incident is created, you can trigger a playbook to use the AskSlack to get additional details from the end user. You can also use the Slack Blocks feature to create a form. Refer - https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-teaching-xsoar-a-few-new-tricks-with-slack-blocks/

Maybe this is the long answer!

Re: Creating a Queue on Slack Integration

KHassan — Wed, 24 Apr 2024 07:34:16 GMT

@jfernandes1 , yes I am able to create an incident from slack into XSOAR. The issue is the incident created always has type=unclassified in xsoar, but it would ne nicer to have the type , reflect one of the xsoar incident types and that way I can map it to run the playbook automatically. The isuue with type=unclassified is it gets mixed with other incidents from other integrations, which will cause a confusion.

Re: Creating a Queue on Slack Integration

jfernandes1 — Wed, 24 Apr 2024 14:09:27 GMT

Hi @KHassan, You can override the incident type selected in the integration configuration. Like below.

You can also specify other incident types. An example command is below. Please note, that this will only work if the "Incident type" setting is set to "No incident type" in the integration configuration.

new incident name=Test Incident type=Lateral Movement

Re: Creating a Queue on Slack Integration

KHassan — Wed, 24 Apr 2024 15:12:58 GMT

@jfernandes1 which xsoar version are you using? I guess it must be 6 , because the version 8 doesnt have the option to map the classification/incident type/mapper option available in the integration page.

Re: Creating a Queue on Slack Integration

jfernandes1 — Fri, 26 Apr 2024 04:53:12 GMT

Hi @KHassan, I just noticed this. I think you will need to create a support case for this.