Stopped on waiting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Stopped on waiting

L1 Bithead

Trying to learn how to use this thing.  I've got a very simple playbook set up that uses the Slack integration to send a simple yes/no prompt to a user.  Within the Playground, I'm able to successfully send simple messages via slack, so the connection appears to be good, but every time I run the playbook I just get 'Incident playbook task "Ask user a question" stopped on waiting' - no Yes/No prompt, nothing from my 'message' param.  Any suggestions?

15 REPLIES 15

L3 Networker

Hey @jhargrove1 ,

 

Can you confirm which version of the Slack integration you are using? Is it Slack (deprecated) or Slack v2? 

L1 Bithead

v2 - not the deprecated one.

L3 Networker

Ok awesome. Please verify what you have in the integration instance setting for parameter "Dedicated Slack channel to receive notifications" and whether the "Send notifications about incidents to the dedicated channel" checkbox is checked.

L1 Bithead

I do not...and that's not an option or what I was asked to do.  This is to send notifications from the 'cortex_xsoar' slack app to a list of designated users.

 

My current setup is a single conditional task, with the 'Ask' radio button clicked, using the SlackV2 integration, to send a message to a list of test users. Message body is "Please choose an option" and the 'Reply Options' are 'Yes' and 'No'.

 

Screen Shot 2021-11-08 at 10.39.01 AM.png

L3 Networker

Thanks for clarifying @jhargrove1 . I just tested this in my instance and I am receiving private notifications from the cortex_soar app in my configured workspace, for an incident. 

In your list of testUsers, do you have the usernames/email separated by commas or new lines? If it is new lines, please try with comma separated values. Also verify if the type of that list is Text. 

L1 Bithead

The current list is just a single user - no whitespace or delimiters. 

L3 Networker

Are you using an email or a username? 

L1 Bithead

A slack username.  If I use the integration within the Playground, I can send myself messages from the cortex_xsoar slack app, so the app appears to be configured properly and does work during that test.  It's only when running the playbook manually via the playbook editor UI that I encounter this issue where I get no yes/no buttons.

L3 Networker

Got it, I tested with username as well, it works with send-notification but not with Slack Ask. I would recommend using email instead as that worked for me. In the meantime, I will verify whether this is a bug that needs fixing, or a feature request to support usernames in Slack Ask. I'll keep you posted.

L1 Bithead

That is strange as I was under the impression I was just fixing a broken but previously working thing.  I have screenshots from slack that show this as working...but I don't know all the details.  Thanks for checking though!

L3 Networker

Hi @jhargrove1 , I was able to identify the difference between the send-notification command in the CLI v/s Slack Ask. The username passed in the CLI is the slack username whereas the playbook is using the XSOAR username. So under User Preferences, you should have an email setup for this to work (it will be admin@company.com  by default). I will work with our team to update the documentation. 

 

Please let me know if that works for you.

L1 Bithead

Don't really understand that.  I'm just using my name, which is my slack name.  As mentioned, I do receive messages from xsoar, but they're just errors.  My user, as the only string in the test users list, is the only person receiving these error messages, so I'm pretty sure that's all working.  Email isn't a part of this at all - though I do get essentially the same error data in my email inbox as well as slack.

L3 Networker

Hi @jhargrove1 , that email/slack of 'Incident playbook task "Ask user a question" stopped on waiting' isn't an error. This is a server notification. These are configured under User Preferences. So if you're the owner of an incident, you will get notified of playbook tasks waiting for manual input or stuck in error state, depending on your user notification preferences - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/users-and-roles/configu...

 

Now the username that you need to configure for the slack ask task needs to be your XSOAR username. You can find that under Settings-Users and Roles. Also, under user preferences you need to make sure your profile has your email listed. The Slack Ask task uses the XSOAR Users list to lookup your email and sends the notification to that email. It is not by Slack username.

L1 Bithead

Hmm.  So, first paragraph there - how do I actually test the buttons then? 

Second paragraph - our org is something like 3000 users who we sometimes send slack messages to, asking them to confirm or deny some IOC.  None of these users exist in xsoar.  Why would SlackAsk have anything to do with email addresses if I'm not using the email option?  Again, sending myself a simple message via Playground to my slack user works just fine, so actually getting data from xsoar to slack seems to work just fine, it's just the explicit data I'm trying to test with isn't making it from the playbook to the user.  If the expected outcome here is just that testing the playbook doesn't actually fully test the playbook, that's an answer I can accept, though it seems like that means you can't really test things the way I expected to.

  • 5571 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!