Login
Contents x
Slack chatbot
  • 20 Feb 2024
  • 5 Minutes to read
  • Dark
    Light
Contents

Slack chatbot

  • Updated on 20 Feb 2024
  • 5 Minutes to read
  • Dark
    Light
Article Summary

This tutorial demonstrates several useful Slack use cases to help you get started and give you ideas for how you can use Slack in your Torq workflows.

Go here to learn how to set up the available Slack integrations. Continue reading to get an idea of what you can do with them.

The following Slack chatbot use cases are covered in this tutorial:

The tutorial is based on an example workflow that is triggered when a user runs a command in Slack to investigate a URL (or a list of URLs). The workflow loops over the URLs provided by the user, scans each URL with VirusTotal after getting the user confirmation, attempts to retrieve the analysis results, and offers to continue the investigation when relevant.

Trigger a Torq workflow by running a command in Slack

You can trigger Torq workflows without leaving Slack. Follow these instructions to set up a Slack Slash Commands integration and create a new Slack slash command: check-url.

Screenshot of the Slack API slash commands page

After you create the check_url Slack slash command you can use it to trigger a Torq workflow from Slack.

Run the slash command in the channel you want to get the investigation results in.

Screenshot of a channel called Security within the Slack App. A message containing the slack command and a URL is being written in the channel

The Slack slash commands integration you created can be used as a trigger in a Torq workflow.

You can add a condition to the trigger. The workflow should only be triggered if the check_url command was used. By adding the condition, you're ensuring nothing else will trigger this workflow. You can add as many unique commands as you would like to trigger different workflows.

Screenshot of the Torq App with a close up on the Slack Slash Commands trigger

A new trigger event is created when you run the slash command in Slack. You can view the event JSON to see what information you now have at your disposal to use for the URL investigation. 

Screenshot of the Torq app showing the Slack Slash Commands trigger's event log

The event JSON given from the trigger


Extract the URLs from the command by using $.event.text

Screenshot of the Extract all URLs step


The next section includes another example of how you can further use the information. 

Send a Slack message

You can use the Send Message step in your Torq workflow to send either a direct message to a user or a general message to a Slack channel. 

Follow these instructions to set up a Slack step integration. 

The example below shows how you can use information from the trigger event JSON to send a confirmation message. 

Use $.event.channel_id with the hashtag symbol (#) as a prefix in the RECIPIENT field to send the message in the channel the slash command was used to trigger the workflow.

Use  {{ $.event.user_name }}  to mention the user who triggered the workflow.  

You can also use  $.event.user_id  as input for the Get User Details by ID step to get the email of the user who triggered the workflow. This email can then be used in the RECIPIENT field of a Send Message step to send a direct message. 


Send Message in Slack step with arrows pointing to the recipient and message fields

Click the cogwheel icon to see a complete list of optional parameters for the Send Message step. 

Screenshot of the further parameters available in the Slack Send Message step

Send a Slack question (Basic)

You can use the Ask a Question step in your Torq workflow to send a Slack message that contains a question and saves the user's response. The user response can then be used to direct your workflow. 

Let's return to the example workflow. You can loop over the URLs extracted from the user Slack command and confirm whether a ViriusTotal scan is required for each one.

Screenshot of the Torq app showing the step Loop over URLs and the Slack Ask a Question step

The question can be sent to the Slack channel the workflow was originally triggered from, or directly to a user. 

You need to provide the responses the user can choose from, and select if they will be presented as buttons or single or multi-select. There are also a few more optional parameters for you to utilize if you choose. 

Close up on the parameters for the Slack automated Send Message Step

The question is then sent to the user in the specified Slack channel. 

Screenshot of the Slack App in a channel named Security with an automated message highlighted asking the user to confirm the URL check

The user response can be referenced by using $.ask_a_question.slack_response. If the user responds with Yes, the URL is scanned with VirusTotal. 

The Torq app, showing the If condition, which leads into a VirusTotal Scan step and a Loop Analyzing the results

Send a Slack question (Advanced)

Retrieving the ViriusTotal results may take time, so if the scan isn't complete upon the first check, you may want to offer the user the option to wait an additional period for the scan results. You can add another Ask a Question step to notify the user that the scan didn't finish, and ask them if they would like to keep waiting. 

The Torq app, showing VirusTotal Get Results step -> If condition -> Slack Ask a Question Step -> If condition -> Wait condition

The possible responses are Yes and No. If the user responds No, no additional information is required and the workflow can continue. If the user responds Yes, you can ask the user how long they want to wait. This can be done by setting the optional RESPONSES_REQUIRING_NOTE parameter - in this example, the response that requires a note is Yes. In addition, the optional THREAD_TS parameter is used and the input $.ask_a_question.ts which ensures the question will continue the original URL scan thread. 

The further parameters of the Slack Ask a Question step

The user is asked to specify the waiting period in seconds. 

Screenshot of the Slack conversation with an arrow pointing to the continuation of the thread where the bot asks if the user would like to wait for the scan to complete. There are two buttons to select an answer from

A popup in the Slack app with a text box the user enters 300 to tell the bot to wait another 300 seconds

The user response to the note is used in the workflow as the duration for a Wait operator: $.ask_a_question.note_response.


The Wait condition in the Torq app where the duration field is filled out by the Slack Note Response

Monitor a Slack channel and act based on message content

You can use the Custom Slack Events integration to trigger Torq workflows for different events in Slack. For example, you can monitor a Slack channel and perform actions in Torq according to the content of the messages sent in it. 

Follow these instructions to set up a Custom Slack Events integration. Subscribe to the messages.channels event. 

The Slack settings page, showing the Event Subscription page


Let's return to the example workflow. If the VirusTotal scan returns no data or the URL is found to be harmless, the user is prompted with a message suggesting to further investigate the URL using a different vendor by replying with a message that has this format: Check URL <URL> with <vendor>. 

The Slack Send a Message step, showing the message that will send if VirusTotal does not return information from a security check

The user can reply in the thread or send a message to the channel. 

The Slack app with a message highlighted that says Check URL with a link for the Torq documentation and RecordedFuture

Since you're subscribed to the channel.message event, sending the message is a triggering event. 

You can create an additional workflow that uses the custom Slack Events integration as a trigger. This workflow monitors the #security Slack channel and catches messages that contain the "check URL" string. 

The Torq App showing the Custom Slack Events trigger with arrows pointing to the channel and text fields

Next, the vendor name is extracted from the Slack message. The URL is checked by the additional vendor and the information is returned to the same Slack channel. This concludes the URL investigation. 

The Torq app on the If condition, renamed to If using RecordedFuture



Was this article helpful?
What's Next
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout