Action Type: Slack

Security Requirements and Controls

The Slack Action allows you to notify one or more channels in your Slack workspace upon notifier invocation.

Configuring Falcon LogScale Slack Action

Figure 206. Configuring Falcon LogScale Slack Action


Creating a Slack App

Before you can create your Slack Action within LogScale, you must configure your Slack workspace by creating a new app in your Slack account. You have to be an admin in Slack to create a new app.

To do this:

  1. Go to Slack Apps Directory and follow the steps:

    Creating a new app in Slack

    Figure 207. Creating a new app in Slack


  2. Click Create New App.

  3. Enter a name for the app and pick the workspace you want to message with your Action, e.g. CrowdStrike.

  4. Click Create App.

You now have a new app connected to your workspace. This needs to be configured in one of two ways, depending on how you want to send messages to Slack from LogScale. These are described in the following subsections.

Incoming Webhook - Single Slack Channel

If you want your Action to send messages only to a single Slack channel upon invocation, you need to configure your app with an Incoming Webhook. To do this:

  1. In the Slack api page, go to SettingsBasic Information of your new Slack app

    Configure your App Settings in Slack

    Figure 208. Configure your App Settings in Slack


  2. From the Add features and functionality section, go to Incoming Webhooks

  3. Set Activate Incoming Webhooks to On.

  4. Click Request to Add New Webhook.

  5. In the Request to install New App dialog, add a message for the Administrator.

  6. Click Submit Request.

  7. Make a note of the newly generated URL listed under the Webhook URL section: you will need it when configuring the Action in LogScale.

OAuth Scope - Multiple Slack Channels

If you want your Action to send messages to multiple Slack channels on a single invocation, you need to configure your app with an OAuth Scope. To do this:

  1. In the Slack api page, go to SettingsBasic Information of your new Slack app

  2. Under Add features and functionality go to Permissions (see Figure 208, “Configure your App Settings in Slack”).

  3. You are now in the OAuth&Permissions page: under Scopes Bot Token Scopes click Add an oAuth Scope and enter chat:write.public as a new OAuth scope.

    Add an OAuth Scope in Slack

    Figure 209. Add an OAuth Scope in Slack


  4. If this is the first permission you are adding to the app, click Request to Install.

  5. Make a note of the OAuth token displayed under Tokens for your workspace.

Creating a Slack Action in LogScale

  1. Go to LogScale and create a new Slack action as described in Creating Actions.

  2. Configure your Slack Action in the form shown in Figure 206, “Configuring Falcon LogScale Slack Action”.

  3. If you configured Slack with an Incoming Webhook - Single Slack Channel choose Single-Channel Slack Action and fill in the related fields (see table below).

  4. If you configured Slack with an OAuth Scope - Multiple Slack Channels choose the Multi channel Slack action option and fill in the related fields (see table below).

Parameter Description
Name The name provided for the Slack action.
Slack Webhook Url Available if Single channel Slack action is selected. Enter the Webhook URL you have previously noted when configuring Incoming Webhook - Single Slack Channel.
Slack OAuth Token Available if Multi channel Slack action is selected. Enter the token you have previously noted when configuring OAuth Scope - Multiple Slack Channels
Slack Channels Available if Multi channel Slack action is selected. Specify the channels, separated by commas.
Fields If needed, fields can be configured to customize the message that is sent to Slack when triggered. Use Message Templates and Variables to create the message.