crowdstrike/logscale-slack

VendorCrowdStrike Holdings, Inc.
AuthorCrowdStrike
Version1.0.0
Minimum LogScale Version1.76.0
Create actions based on Slack channel content.

Find the repository where you want to use LogScale Slack actions or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Slack (i.e. crowdstrike/logscale-slack).

  3. When the package has finished installing, on the top menu go to Alerts and then click Actions on the side menu.

  4. Click + New action, a pop-up is displayed.

  5. Type a name for the action, select From package and click Continue.

  6. Replace INSERT_TOKEN in the HTTP Headers and the Channel (replace `INSERT_CHANNEL in the Message Body Template.

In contrast to the built-in Slack action, this can only send to a single Slack channel. The built-in action actually sends a request to Slack for each channel, so you can get the same functionality by duplicating this action.

Package Contents Explained

This package contains:

A template for creating a webhook action that integrates to Slack. The action template corresponds to the built-in Slack action type, and does not in itself provide any new functionality. Instead, it provides a way to customize what is sent to Slack.

Customizing Your Action and Triggers

In order to customize the action, see Slack API documentation for an overview of what fields you can send. You can use Message Templates and Variables to fill in information about the trigger, the query and the events found by the query.

The message template documentation also describes how you can use these templates in the name or the description of the trigger. That enables you to use the same action for multiple triggers and get customized messages, where the customization happens in the trigger.

Example

You create an action where the message contains {description} which will be replaced by the description of the trigger. In the description of one trigger, you can then write Host {field:$host} failed.

If the result of the trigger had a field host=3, this will be expanded to Host 3 failed, before being put into the `{description}` message template in the action. Another trigger could have a different description using different fields.