Trying to learn how to use this thing. I've got a very simple playbook set up that uses the Slack integration to send a simple yes/no prompt to a user. Within the Playground, I'm able to successfully send simple messages via slack, so the connection appears to be good, but every time I run the playbook I just get 'Incident playbook task "Ask user a question" stopped on waiting' - no Yes/No prompt, nothing from my 'message' param. Any suggestions?
I do not...and that's not an option or what I was asked to do. This is to send notifications from the 'cortex_xsoar' slack app to a list of designated users.
My current setup is a single conditional task, with the 'Ask' radio button clicked, using the SlackV2 integration, to send a message to a list of test users. Message body is "Please choose an option" and the 'Reply Options' are 'Yes' and 'No'.
Thanks for clarifying @jhargrove1 . I just tested this in my instance and I am receiving private notifications from the cortex_soar app in my configured workspace, for an incident.
In your list of testUsers, do you have the usernames/email separated by commas or new lines? If it is new lines, please try with comma separated values. Also verify if the type of that list is Text.
A slack username. If I use the integration within the Playground, I can send myself messages from the cortex_xsoar slack app, so the app appears to be configured properly and does work during that test. It's only when running the playbook manually via the playbook editor UI that I encounter this issue where I get no yes/no buttons.
Got it, I tested with username as well, it works with send-notification but not with Slack Ask. I would recommend using email instead as that worked for me. In the meantime, I will verify whether this is a bug that needs fixing, or a feature request to support usernames in Slack Ask. I'll keep you posted.
Hi @jhargrove1 , I was able to identify the difference between the send-notification command in the CLI v/s Slack Ask. The username passed in the CLI is the slack username whereas the playbook is using the XSOAR username. So under User Preferences, you should have an email setup for this to work (it will be email@example.com by default). I will work with our team to update the documentation.
Please let me know if that works for you.
Don't really understand that. I'm just using my name, which is my slack name. As mentioned, I do receive messages from xsoar, but they're just errors. My user, as the only string in the test users list, is the only person receiving these error messages, so I'm pretty sure that's all working. Email isn't a part of this at all - though I do get essentially the same error data in my email inbox as well as slack.
Hi @jhargrove1 , that email/slack of 'Incident playbook task "Ask user a question" stopped on waiting' isn't an error. This is a server notification. These are configured under User Preferences. So if you're the owner of an incident, you will get notified of playbook tasks waiting for manual input or stuck in error state, depending on your user notification preferences - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/users-and-roles/configu...
Now the username that you need to configure for the slack ask task needs to be your XSOAR username. You can find that under Settings-Users and Roles. Also, under user preferences you need to make sure your profile has your email listed. The Slack Ask task uses the XSOAR Users list to lookup your email and sends the notification to that email. It is not by Slack username.
Hmm. So, first paragraph there - how do I actually test the buttons then?
Second paragraph - our org is something like 3000 users who we sometimes send slack messages to, asking them to confirm or deny some IOC. None of these users exist in xsoar. Why would SlackAsk have anything to do with email addresses if I'm not using the email option? Again, sending myself a simple message via Playground to my slack user works just fine, so actually getting data from xsoar to slack seems to work just fine, it's just the explicit data I'm trying to test with isn't making it from the playbook to the user. If the expected outcome here is just that testing the playbook doesn't actually fully test the playbook, that's an answer I can accept, though it seems like that means you can't really test things the way I expected to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!