Incydr Flow: Slack

Overview

This article explains how to configure the Incydr Flow for Slack. The steps below show you the configuration requirements for both Slack and Incydr. 

The Incydr Flow for Slack publishes Incydr alerts to a Slack channel or direct message. Users with access to the Slack channel can then take the following direct action on the alert from within Slack:

• Open the alert in the Incydr console to investigate in more detail
• Send a direct message to the user in Slack
• Close the alert

Considerations

• You must be licensed for the Slack Flow to complete the steps below. Contact your Customer Success Manager (CSM) if you have questions about licensing.

Part 1: Slack configuration

Work with your Slack administrator to complete the steps below.

Step 1: Create a Slack app

1. Sign in to Slack at https://api.slack.com/apps.
2. Select Create an App.
3. Select From scratch.
4. Enter a name for the app (for example, "Incydr alert triage").
5. Select the workspace for this app.
6. Select Create App.
   The Building Apps for Slack window appears.
7. Select Incoming Webhooks.
8. Set Activate Incoming Webhooks toggle to On.
9. Click Add new webhook to workspace and select the Slack channel to receive the alerts.
10. Click Save.

Step 2: Configure OAuth and Permissions

1. From the menu on the left, select OAuth & Permissions.
2. Scroll down to Scopes > Bot Token Scopes.
3. Select Add an OAuth Scope.
4. From the dropdown menu, select chat:write.
   A message appears prompting you to reinstall the app you created above.
5. Click the link in the message.
6. Reselect the target channel, then select Allow.
   After reinstalling, an OAuth token appears.
7. Save the Bot User OAuth Token in a secure location for future reference.
   This token is required in the steps below to enable the Flow in the Incydr console, as well as to update settings after the initial setup.

Step 3: Add the Slack app to the target channel

In addition to selecting the target channel in the steps above, you must also explicitly add the app to the target channel. 

1. From the list of channels in your Slack workspace, right-click the target channel and select View channel Details.
2. Select the Integrations tab.
3. In the Apps section, select Add an app.
4. Search for the name of the app you created above (for example, "Incydr alert triage").
5. Select your app and click Add.

Step 4: Add the Request URL for Incydr interactivity

1. Sign in to the Incydr console.
2. Go to Administration > Integrations > Incydr Flows.
3. Select the Slack Flow.
4. Copy the Request URL.
5. Sign in to Slack at https://api.slack.com/apps.
6. From the menu on the left, go to Features > Interactivity & Shortcuts.
7. If necessary, toggle Interactivity to On.
8. Paste the Request URL obtained from the Incydr console.

Part 2: Incydr configuration

Step 1: API client setup

Create a new Incydr API client:

1. Sign in to the Incydr console.
2. Go to Administration > Integrations > API Clients.
3. Select Create new API client.
4. Enter a name specific to this Flow (for example, "Slack alert triage").
5. Add these permissions:
   • Alert Rules - Read
   • Alerts and Sessions - Read and Write
   • User - Read
6. Save the Client ID, Secret, and Base URL in a secure location for future reference.
   The Incydr API client credentials are required to initially enable the Flow in the Incydr console, as well as to update settings after the initial setup.

Step 2: Slack Flow setup

1. In the Incydr console, go to Administration > Integrations > Incydr Flows.
2. Select the Slack Flow.
3. Complete these fields:
   • Slack OAuth token: Enter the token created above in step 1.2.7.
   • Slack channel name: Enter the name of the target channel you selected above in step 1.1.9. Do not include the # prefix.
   • Incydr API client ID: Enter the Incydr API Client ID obtained in step 2.1.6 above.
   • Incydr API client secret: Enter the Incydr API Secret obtained in step 2.1.6 above.
   • Incydr base URL: Enter the Base URL obtained in step 2.1.6 above. You can also obtain the Base URL by identifying the URL for your Incydr cloud environment.
   • Scheduled interval in minutes: Select how often to run the Flow.
     • The default is 60 minutes.
     • The minimum allowed value is 5 minutes.
     • The maximum allowed value is 1440 minutes (24 hours).
   • Webhook Setup URL Acknowledgment: Select Yes after adding the Request URL to Slack in step 1.4.8 above.
4. Click Submit.

Part 3: Review Incydr alerts in Slack

Upon completion of the setup steps above, Incydr alerts will begin appearing in the target Slack channel. For each alert, you have the option to:

• Investigate in Incydr: Opens the alert in the Incydr console.
• Send message to user: Opens a message template in Slack to help you draft a direct message to the user. 
  Messages are not sent automatically; you must review (and optionally customize) the template text before sending the message.
• Close as true positive: Changes the status of the alert to Closed - True positive. Use this for alerts that represent a valid risk.
• Close as false positive: Changes the status of the alert to Closed - False positive. Use this for alerts that do not present a valid risk.

Related topics

• Introduction to Incydr Flows
• Configure Incydr Flows
• API clients