This tutorial demonstrates several useful Slack use cases to help you get started and give you ideas for using Slack in your Torq workflows.
Go here to learn how to set up the available Slack integrations. Continue reading to get an idea of what you can do with them.
The following Slack chatbot use cases are covered in this tutorial:
The tutorial is based on an example workflow triggered when a user runs a command in Slack to investigate a URL (or a list of URLs). The workflow loops over the URLs provided by the user, scans each URL with VirusTotal after getting the user confirmation, attempts to retrieve the analysis results, and offers to continue the investigation when relevant.
Trigger a Torq Workflow by Running a Command in Slack
You can trigger Torq workflows without leaving Slack. Follow these instructions to set up a Slack Slash Commands integration and create a new Slack slash command: check-url
.
After you create the check_url Slack slash command, you can use it to trigger a Torq workflow from Slack.
Run the slash command in the channel you want to get the investigation results.
The Slack slash commands integration you created can be used as a trigger in a Torq workflow.
You can add a condition to the trigger. The workflow should only be triggered if the check_url command was used. By adding the condition, you're ensuring nothing else will trigger this workflow. You can add as many unique commands as possible to trigger different workflows.
A new trigger event is created when you run the slash command in Slack. You can view the event JSON to see what information you now have at your disposal to use for the URL investigation.
Extract the URLs from the command by using $.event.text
The next section includes another example of how you can further use the information.
Send a Slack Message
You can use the Send Message step in your Torq workflow to send a direct message to a user or a general message to a Slack channel.
The example below shows how you can use the trigger event JSON information to send a confirmation message.
Use $.event.channel_id
with the hashtag symbol (#) as a prefix in the RECIPIENT field to send the message in the channel, the slash command was used to trigger the workflow.
Use {{ $.event.user_name }}
to mention the user who triggered the workflow.
You can also use $.event.user_id
as input for the Get User Details by ID step to get the user's email who triggered the workflow. This email can then be used in the RECIPIENT field of a Send Message step to send a direct message.
Click the cogwheel icon to see a complete list of optional parameters for the Send Message step.
Send a Slack Question (Basic)
You can use the Ask a Question step in your Torq workflow to send a Slack message that contains a question and saves the user's response. The user response can then be used to direct your workflow.
Let's return to the example workflow. You can loop over the URLs extracted from the user Slack command and confirm whether a ViriusTotal scan is required for each.
The question can be sent to the Slack channel the workflow was originally triggered from, or directly to a user.
You need to provide the responses the user can choose from and select if they will be presented as buttons or single or multi-select. There are also a few more optional parameters for you to utilize.
The question is then sent to the user in the specified Slack channel.
The user response can be referenced by using $.ask_a_question.slack_response
. If the user responds with Yes, the URL is scanned with VirusTotal.
Send a Slack Question (Advanced)
Retrieving the ViriusTotal results may take time, so if the scan isn't complete upon the first check, you may want to offer the user the option to wait an additional period for the scan results. You can add another Ask a Question step to notify the user that the scan didn't finish and ask them if they would like to keep waiting.
The possible responses are Yes and No. If the user responds No, no additional information is required, and the workflow can continue. If the user responds Yes, you can ask the user how long they want to wait. This can be done by setting the optional RESPONSES_REQUIRING_NOTE parameter - in this example, the response that requires a note is Yes. In addition, the optional THREAD_TS parameter is used and the input $.ask_a_question.ts
which ensures the question will continue the original URL scan thread.
The user is asked to specify the waiting period in seconds.
The user response to the note is used in the workflow as the duration for a Wait operator: $.ask_a_question.note_response
.
Send a Slack Message Block
You can use the Send Slack Message Blocks step to send a block message. A Slack block message is a more complexly developed message, with a title, potential links, multiple questions, etc. We recommend following the Slack block kit tutorial to build your optimal block. Afterward, copy the generated payload and paste it into the Blocks parameter of the step, and it will send to the channel or recipient.
Monitor a Slack Channel
You can use the Custom Slack Events integration to trigger Torq workflows for different events in Slack. For example, you can monitor a Slack channel and perform actions in Torq according to the messages' content.
Follow these instructions to set up a Custom Slack Events integration.
To monitor public channels, subscribe to the messages.channels event. To monitor private channels, subscribe to the message.groups event (with the groups:history permissions).
To monitor a private channel, add the Torq app/bot you created to the channel.
Let's return to the example workflow. If the VirusTotal scan returns no data or the URL is found to be harmless, the user is prompted with a message suggesting to investigate the URL further using a different vendor by replying with a message that has this format: Check URL <URL> with <vendor>.
The user can reply in the thread or send a message in the channel.
Since you're subscribed to the channel.message event, sending the message is a triggering event.
You can create an additional workflow that uses the custom Slack Events integration as a trigger. This workflow monitors the #security Slack channel and catches messages that contain the "check URL" string.
Next, the vendor name is extracted from the Slack message. The URL is checked by the additional vendor, and the information is returned to the same Slack channel. This concludes the URL investigation.