Action Type: Slack
Security Requirements and Controls
Change triggers and actions
permission
The Slack Action allows you to notify one or more channels in your Slack workspace upon notifier invocation.
Figure 206. Configuring Falcon LogScale Slack Action
Creating a Slack App
Before you can create your Slack Action within LogScale, you must configure your Slack workspace by creating a new app in your Slack account. You have to be an admin in Slack to create a new app.
To do this:
Go to Slack Apps Directory and follow the steps:
Figure 207. Creating a new app in Slack
Click
.Enter a name for the app and pick the workspace you want to message with your Action, e.g. CrowdStrike.
Click
.
You now have a new app connected to your workspace. This needs to be configured in one of two ways, depending on how you want to send messages to Slack from LogScale. These are described in the following subsections.
Incoming Webhook - Single Slack Channel
If you want your Action to send messages only to a single Slack channel upon invocation, you need to configure your app with an Incoming Webhook. To do this:
In the Slack api page, go to → of your new Slack app
Figure 208. Configure your App Settings in Slack
From the Add features and functionality section, go to Incoming Webhooks
Set Activate Incoming Webhooks to On.
Click
.In the Request to install New App dialog, add a message for the Administrator.
Click
.Make a note of the newly generated URL listed under the Webhook URL section: you will need it when configuring the Action in LogScale.
OAuth Scope - Multiple Slack Channels
If you want your Action to send messages to multiple Slack channels on a single invocation, you need to configure your app with an OAuth Scope. To do this:
In the Slack api page, go to → of your new Slack app
- go to (see
You are now in the OAuth&Permissions page: under Scopes → Bot Token Scopes click and enter
chat:write.public
as a new OAuth scope.Figure 209. Add an OAuth Scope in Slack
If this is the first permission you are adding to the app, click
.Make a note of the OAuth token displayed under Tokens for your workspace.
Creating a Slack Action in LogScale
Go to LogScale and create a new Slack action as described in Creating Actions.
Configure your Slack Action in the form shown in Figure 206, “Configuring Falcon LogScale Slack Action”.
If you configured Slack with an Incoming Webhook - Single Slack Channel choose and fill in the related fields (see table below).
If you configured Slack with an OAuth Scope - Multiple Slack Channels choose the option and fill in the related fields (see table below).
Parameter | Description |
---|---|
Name | The name provided for the Slack action. |
Slack Webhook Url | Available if Incoming Webhook - Single Slack Channel. | is selected. Enter the Webhook URL you have previously noted when configuring
Slack OAuth Token | Available if OAuth Scope - Multiple Slack Channels | is selected. Enter the token you have previously noted when configuring
Slack Channels | Available if | is selected. Specify the channels, separated by commas.
Fields | If needed, fields can be configured to customize the message that is sent to Slack when triggered. Use Message Templates and Variables to create the message. |