Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Creating a Queue on Slack Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Creating a Queue on Slack Integration

L3 Networker

Hello all, 

I am working with Slack from the playbook level where a message summarizing an incident is sent followed by Slackask automation to ask users on a channel to confirm the information with two interactive buttons. Take note that the flow has two different messages, the first is the summary using Slacknotification and the second task is slackask. I have realised that due to the fact that I am running this flow on a few different Incident Types I am receiving the messages not in order. In simpler terms the main message is accumulating and all the slacknotifications are being added in a bulk afterwards. I am aware that the the slackask takes a few seconds longer to be generated on the channel. I have two questions regarding this topic:

  1. Can the instance be configured to have a queue in order to ensure the correct message order ? 
  2. Can a slackask task be sent with all the relevant information and once clicked, the original message (Incident Summary) remains ?

I understand this is a bit of a complicated process. I can show my flow regarding this topic and further information if it helps. 

Thanks All

Cortex XSOAR 

 

PCSAE
8 REPLIES 8

L5 Sessionator

Hi @michaelsysec242, I don't think there is a method to do this via XSOAR. Notification and responses will get jumbled with multiple active incidents. For the ask response part at least you might be able to use the Demisto lock integration. It will work similar to queuing.

 

You can create the lock name using the username(Slack User) and Channel(Slack Channel). When a different incident tries to contact the same user via Slack, it will have to wait for the lock to be released or expire. The user is then engaged for 1 incident at a time.  

Thanks @jfernandes1 for the advice I will implement it and test for results. 

PCSAE

L1 Bithead

@michaelsysec242 were you able to find the solution?

We have a requirement to create an incident by taking the slack user responses? Can you help with this?

Hi @KHassan, you should ask this questions in a new conversation. But the short answer is yes, once you have Slack configured correctly, meaning that the a user can send messages to the bot. You can run the command "new incident name=test type=Unclassified" from the XSOAR Slack channel. This should create an incident in XSOAR, once the base incident is created, you can trigger a playbook to use the AskSlack to get additional details from the end user. You can also use the Slack Blocks feature to create a form. Refer - https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-teaching-xsoar-a-few-...

 

Maybe this is the long answer!

@jfernandes1 , yes I am able to create an incident from slack into XSOAR. The issue is the incident created always has type=unclassified in xsoar, but it would ne nicer to have the type , reflect one of the xsoar incident types and that way I can map it to run the playbook automatically. The isuue with type=unclassified is it gets mixed with other incidents from other integrations, which will cause a confusion.

L5 Sessionator

Hi @KHassan, You can override the incident type selected in the integration configuration. Like below.

Screenshot 2024-04-25 at 12.06.40 AM.png

 

You can also specify other incident types. An example command is below. Please note, that this will only work if the "Incident type" setting is set to "No incident type" in the integration configuration. 

new incident name=Test Incident type=Lateral Movement

L1 Bithead

@jfernandes1 which xsoar version are you using? I guess it must be 6 , because the version 8 doesnt have the option to map the classification/incident type/mapper option available in the integration page.

L5 Sessionator

Hi @KHassan, I just noticed this. I think you will need to create a support case for this. 

  • 2238 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!