
It includes the ability to mirror the investigation between Slack and the Cortex XSOAR War Room, so security analysts are able to work on their platform of choice and have all actions mirrored on the other platform.

This pack is designed to help increase communications and collaboration throughout your SOC team. It integrates with Slack's services to investigate failed login events and execute, create, read, update, and delete operations for employee lifecycle processes. The Slack V3 content pack allows you to interact with the Slack API by collecting logs and sending messages and notifications to your Slack team. Data collection is critical during the incident response process, and Slack blocks can provide SOC teams with truly useful and interactive workflows to utilize.

However, you shouldn’t have to be a Slack power user to utilize all that Slack blocks are capable of providing. Because of this, it became fairly common for SOC engineers to use the SlackV3 content pack purely as a notification utility. Creating independent SlackAsk tasks used to require a very steep learning curve for SOC engineers, who would have to create manual playbooks to collect all the information needed for incident handling. Make a Pull Request, or create an Issue if you see any problem.In most cases, SlackAsk does not provide enough information suitable for analyst investigations, as it focuses mainly on binary “yes/no” questions. You are more than welcome to contribute to this project. examples/socketmode_handler/socketmode_handler.go Contributing Instead, you can use SocketmodeHandler much like you use an HTTP handler to register which event you would like to listen to and what callback function will process that event when it occurs. When using socket mode, dealing with an event can be pretty lengthy as it requires you to route the event to the right place.

See Socketmode Event Handler (Experimental) Email)Īs mentioned in - for most applications, Socket Mode is a better way to communicate with Slack. Printf( "ID: %s, Fullname: %s, Email: %s \n", user.
