Skip to main content
Skip table of contents

Slack

LAST UPDATED: NOV 13, 2023

Overview

Slack is a channel-based messaging platform that brings all of a team's communication into one place.

D3 SOAR is providing REST operations to function with Slack.

For example, you can list all channels and users, create a new channel or join an existing channel, invite users to join channels, or remove users from a channel, furthermore, you can send messages or get a thread of specific reply messages.

Slack is available for use in:

D3 SOAR

V12.7.83.0+

Category

Email Messaging

Deployment Options

Option II, Option IV

Known Limitations

The Slack platform features and APIs rely on rate limits to help provide a predictably pleasant experience for users. The requests to the Web API are evaluated per method, per workspace. Rate limit windows are per minute.

api.slack.com_changelog_2018-03-great-rate-limits 1-20241112-201703.png

Please refer to Great rate limits for Web API methods from the Slack API documentation for details.

Connection

To connect Slack from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Default

Authentication Type

The type of authentication used for the integration connection. The two options are OAuth 2.0 Authorization code and User OAuth Token (API Token). If you select the OAuth 2.0 Authorization code, please ensure that your app(s) must have enabled the Token Rotation in the Slack API console.

User OAuth Token (API Token)

Authentication Type: User OAuth Token (API Token)

API Token

The API token to authenticate the connection.

xoxp****4211

Authentication Type: OAuth 2.0 Authorization Code

Client ID

The client ID for the OAuth 2.0 authentication.

1160*****5588

Client Secret

The client secret for the OAuth 2.0 authentication.

d2e1****3576

Scope

The scopes to enable for the connection.

users:read,channels:manage,chat:write,files:write,channels:read,channels:join,groups:read,groups:write

Authorization Code

The authorization code for the OAuth2.0 authentication. Click the "Get Authorization" button on the Connection page to automatically generate an authorization code.

*****

Callback URL

The callback URL is used for OAuth2.0 with the grant type of authorization code. Add this URL to your app’s Redirect URIs. In the Slack API console, navigate to Your App > OAuth & Permissions > Redirect URLs. This parameter is read-only and auto-generated.

https://D3PlatformURL/VSOC/Auth2Callback.aspx

Refresh Token

The refresh token for authentication with the grant type of authorization code. Click the "Get Refresh Token" button on the Connection page to automatically generate a refresh token.

This parameter is read-only and auto-generated.

xoxe-*****

Permission Requirements

Each endpoint in the Slack API requires a certain permission scope. The following scopes are required scopes for each command in this integration:

Please refer to the Known Limitations section for Rate Limits details. Refer to Web API methods to get Slack required scopes.

Command

Required Permission

Archive Channel

Scopes: channels:write, groups:write

Rate Limits: Tier 2

Create Channel

Scopes: channels:write, groups:write, im:write, mpim:write

Rate Limits: Tier 2

Get Reply Messages

Scopes: channels:history, groups:history, im:history, mpim:history

Rate Limits: Tier 3

Get User Details

Scopes: users:read

Rate Limits: Tier 4

Invite Users To Channel

Scopes: channels:write, groups:write, im:write, mpim:write

Rate Limits: Tier 3

Join Channel

Scopes: channels:write

Rate Limits: Tier 3

List Channel Members

Scopes: channels:read, groups:read, im:read, mpim:read

Rate Limits: Tier 4

List Channels

Scopes: channels:read, groups:read, im:read, mpim:read

Rate Limits: Tier 2

List Users

Scopes: users:read

Rate Limits: Tier 2

Remove Users From Channel

Scopes: channels:write, groups:write, im:write, mpim:write

Rate Limits: Tier 3

Send Files

Scopes: files:write, files:write:user

Rate Limits: Tier 2

Send Messages

Scopes: chat:write, chat:write:user, chat:write:bot

Rate Limits: Special (generally allows posting one message per second per channel)

Test Connection

Scopes: users:read

Rate Limits: Tier 2

READER NOTE

Changing the scope will require reinstalling the app and re-adding it to your selected Slack channels. Refer to Application Reinstallation for details.

Configuring Slack to Work with D3 SOAR

  1. Log in to the Slack portal at https://slack.com/ssb/signin#/signin.

    app.slack 2-20241023-181336.png
  2. Launch your workspace.

  3. Create an application under a specific Slack workspace

    1. Click on the Create New App button.

    2. Enter an App Name.

    3. Select a workspace to develop your app.

    4. Click on the Create App button.

  4. Navigate to https://api.slack.com/apps?new_app=1&ref=bolt_start_hub, then click on the app you wish to configure.

    Frame 82 (2)-20241112-222343.png
  5.  Navigate to the OAuth & Permissions page, then scroll down and add the following Bot Token Scopes: channels:read, channels:manage, chat:write, files:write, users:read, groups:history.

Authenticating with an OAuth 2.0 Authorization Code:

  1. Store the Client ID and Client Secret.

    1. Navigate to the Basic Information page.

    2. Copy and save the Client ID. This will be used in Auth Type 1 section.

    3. Click on the Show button for the Client Secret

    4. Copy and save the Client Secret. This will be used in Auth Type 1 section.

  2. Click on the OAuth & Permissions item within the left sidebar menu, then click on the Add New Redirect URL under the Redirect URLs section.

  3. Copy the Callback URL from vSOC (refer to Auth Type 1 sub-step 4) and paste it into the Redirect URLs field. Click on the Add button, then click on the Save URLs button.

  4. Set the token_rotation_enabled field to true in the App Manifest.

    1. Navigate to the App Manifest page. 

    2. Set the token_rotation_enabled field to true

    3. Click on the Save Changes button. 

Authenticating with a User OAuth Token (API token):

  1. Scroll up and click on the Install to <Workspace> button.

    Frame 83 (3)-20241112-222949.png
  1. Click on the Allow button.

  2. Copy and save the Bot User OAuth Token. This token will be used in Auth Type 2 sub-step 1.

    Frame 84 (3)-20241112-223116.png

Configuring D3 SOAR to Work with Slack

  1. Log in to D3 SOAR.

  2. Find the Slack integration.

    Frame 36 (5)-20241023-181509.png
    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Slack in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Slack.

    Frame 37 (5)-20241023-183854.png
    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. Allow messages to also be sent to Slack through this connection: Specifies the receiving Slack channel name.

      Frame 53 (2)-20241023-211939.png
    10. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Auth Type 1. Select the Authentication Type: OAuth 2.0 Authorization Code

        1. Copy the Client ID from the Slack platform (refer to step 6 of the Authenticating with an OAuth 2.0 Authorization Code section).
        2. Copy the Client Secret from the Slack platform (refer to step 6 of the Authenticating with an OAuth 2.0 Authorization Code section).
        3. The default value of the Scope is users:read,channels:manage,chat:write,files:write,channels:read,channels:join,groups:read,groups:write. Refer to step 5 of the Configuring Slack to Work with D3 SOAR section. See Permission Requirements for the scopes required by commands.
        4. Copy the D3 Callback URL and paste it into the Slack Redirect URLs section. Refer to steps 7-8 of the Authenticating with an OAuth 2.0 Authorization Code section.

        Frame 61 (4)-20241106-235946.png

        5. Click on the Get Authorization button, then click on the Allow button in the redirect window.

        Frame 62 (12)-20241107-000354.png

        6. Close the redirect window (no need to copy the Authorization Code).

        Frame 58 (3)-20241106-234412.png

        7. Click on the Get Refresh Token button to automatically populate the Refresh Token and Authorization Code fields.

        Frame 52 (2)-20241023-193028.png
      2. Auth Type 2. Select the Authentication Type: User OAuth Token (API Token)

        1. Copy the OAuth Token from the Slack platform and set it to the input Field API Token. Refer to step 8 of the Authenticating with a User OAuth Token (API token) section.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

    12. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Slack includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Slack API, please refer to the Installing with OAuth and Web API methods.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Slack to Work with D3 SOAR for details.

Slack customized error response

The error response of slack API requests are packed in the API response with HTTP status code 200. The command execution success/failure will be indicated by the key "OK" in returned JSON data.

The failed Slack API response format looks like this:

Please refer to Using the Slack Web API>Evaluating responses for more detailed explanations.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

    Frame 33 (7)-20241023-183156.png
  2. Choose your desired date and time format.

    Frame 15 (26)-20241023-183213.png

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Archive Channel

Archives a public or a private channel. The archived channel’s message history will be retained and searchable.

READER NOTE

Channel ID is a required parameter to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Please note that the #general channel cannot be archived by using this command. The #general channel can’t be archived, deleted, or converted to a private channel. Archive #general channel will result in an error: "can't archive general" in D3 SOAR.

Please refer to Slack Archive or delete a channel for more details.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID of the channel to archive. Channel IDs can be obtained using the List Channels command.

C0***HY

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "channelID": "C0***Y",
    "actionResult": "Closed the channel successfully"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

channelID

C0***Y

actionResult

Closed the channel successfully

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Archive Channel failed. An error occurred when calling the Archive Channel operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Archive Channel failed. An error occurred when calling the Archive Channel operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Create Channel

Creates a new channel based on the provided name.

READER NOTE

You will automatically join the created channel. The display username depends on the app you used for your connection. See the FAQ for more details.

Input

Input Parameter

Required/Optional

Description

Example

Channel Name

Required

The name of the channel. Note: Channel names can only contain lowercase letters, numbers, hyphens, and underscores, and must be 80 characters or less.

test2021***a

Is Private

Optional

The option to set the channel as private.

True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "channel": {
        "id": "C0***8",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636861057,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U02LUMZTMUL",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T01***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channel in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
{
        "id": "C0***8",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636861057,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U02LUMZTMUL",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T01***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ChannelID": "C0***8"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

C0***8

name

test2021***

is_channel

True

is_group

False

is_im

False

is_mpim

False

is_private

False

created

1636861057

is_archived

False

is_general

False

unlinked

0

name_normalized

test20211***

is_shared

False

is_org_shared

False

is_pending_ext_shared

False

pending_shared

[]

parent_conversation

None

creator

U0***UL

is_ext_shared

False

shared_team_ids

T01***7N

pending_connected_team_ids

[]

is_member

True

last_read

0000000000.000000

topic

{'value': '', 'creator': '', 'last_set': 0}

purpose

{'value': '', 'creator': '', 'last_set': 0}

previous_names

[]

priority

0

 Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Channel failed. An error occurred when calling the Create Channel operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Invalid Channel ID.

Error Sample Data

Create Channel failed. An error occurred when calling the Create Channel operation.

Status Code: 200.

Message: OK: False, Error: Invalid Channel ID.

Get Reply Messages

Retrieves a thread of messages posted to a conversation. These messages are replied to with a specified message unique identifier(Message Timestamps).

READER NOTE

Channel ID and Message UID are required parameters to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

  • Run the Send Messages command to obtain Message UID. Message UIDs can be found in the returned raw data at the path $.message.ts.

Please note that the Channel ID must match to Message UID. D3 suggests you to run List Channel first to get the Channel you want to use, then use that Channel ID to run the Send Message command. Use the pair of Channel ID and Message UID to run this command.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID of the channel to retrieve reply messages from. Channel IDs can be obtained using the List Channels command.

C0***H

Message UID

Required

The unique identifier timestamp of a thread’s parent message or a message in the thread. Message UIDs can be obtained using the Send Messages command.

16***.0***0

Earliest Time

Optional

The start time of the time range to retrieve reply messages in UTC time.

2022-01-01 00:00

Latest Time

Optional

The end time of the time range to retrieve reply messages in UTC.

2022-06-01 00:00

Limit

Optional

The maximum number of records to return. If the input value is invalid (i.e., negative number, 0, characters or symbols) or the parameter is not defined, the default value of 20 will be used. The maximum input value for this field is 100; however, the recommended value is between 1 to 200.

2

Next Page

Optional

The pagination value of the parameter with the next_cursor attribute returned by a previous request's response_metadata. The "Limit" parameter specifies the maximum number of return records output. The Next Page input parameter outputs the next set of messages while confined to the defined "Limit" parameter. For example, for a given message, there are four replies. You set the "Limit" parameter to 2 so the command outputs the most recent two reply messages. The resulting output raw data has a "next_cursor" value (last JSON key-value pair of the raw data) which can be used for this parameter to run the command again to output the remaining two messages with an earlier timestamp.

bm***DAw

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "messages": [
        {
            "client_msg_id": "***-***-***-***-***",
            "type": "message",
            "text": "Start conversation.......",
            "user": "***",
            "ts": "***",
            "team": "***",
            "blocks": [
                {
                    "type": "rich_text",
                    "block_id": "***",
                    "elements": [
                        {
                            "type": "rich_text_section",
                            "elements": [
                                {
                                    "type": "text",
                                    "text": "Start conversation......."
                                }
                            ]
                        }
                    ]
                }
            ],
            "thread_ts": "***",
            "reply_count": 4,
            "reply_users_count": 2,
            "latest_reply": "1643238010.002600",
            "reply_users": [
                "***",
                "***"
            ],
            "is_locked": false,
            "subscribed": true,
            "last_read": "1643237610.001500"
        },
        {
            "client_msg_id": "***-***-***-***-***",
            "type": "message",
            "text": "Hello, I replied you again and again.",
            "user": "***",
            "ts": "**",
            "team": "***",
            "blocks": [
                {
                    "type": "rich_text",
                    "block_id": "***",
                    "elements": [
                        {
                            "type": "rich_text_section",
                            "elements": [
                                {
                                    "type": "text",
                                    "text": "Hello, I replied you again and again."
                                }
                            ]
                        }
                    ]
                }
            ],
            "thread_ts": "***",
            "parent_user_id": "***"
        }
            ],
            "thread_ts": "***",
            "parent_user_id": "***"
        }
    ],
    "has_more": true,
    "response_metadata": {
        "next_cursor": "***"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "MessageTimestamps": [
        "1643237701.002000",
        "1643238010.002600"
    ],
    "ReplyUserIDs": [
        "***",
        "***"
    ],
    "NextPage": "bm***Aw"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok

True

messages

{'client_msg_id': '***-***-***-***-***', 'type': 'message', 'text': 'Start conversation.......', 'user': '***', 'ts': '1643237610.001500', 'team': '***', 'blocks': [{'type': 'rich_text', 'block_id': '***', 'elements': [{'type': 'rich_text_section', 'elements': [{'type': 'text', 'text': 'Start conversation.......'}]}]}], 'thread_ts': '***', 'reply_count': 4, 'reply_users_count': 2, 'latest_reply': '1643238010.002600', 'reply_users': ['***', '***'], 'is_locked': False, 'subscribed': True, 'last_read': '1643237610.001500'}

{'client_msg_id': '***-***-***-***-***', 'type': 'message', 'text': 'Hello, I replied you again and again.', 'user': 'U030F3S4PUL', 'ts': '1643237701.002000', 'team': '*****', 'blocks': [{'type': 'rich_text', 'block_id': '***', 'elements': [{'type': 'rich_text_section', 'elements': [{'type': 'text', 'text': 'Hello, I replied you again and again.'}]}]}], 'thread_ts': '1643237610.001500', 'parent_user_id': '***'}

has_more

True

response_metadata

{'next_cursor': '***'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Reply Messages failed. An error occurred when calling the Get Reply Messages operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Get Reply Messages failed. An error occurred when calling the Get Reply Messages operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Get User Details

Retrieves detailed information about the specified users.

READER NOTE

The parameter User IDs is required to run this command.

  • Run the List Users command to obtain User IDs. User IDs can be found the the returned raw data at the path $.members[*].id.

  • When logging into Slack, the User ID of that account can be found by clicking the top right profile icon > Profile > image-20240305-194258.png > Copy member ID. Member ID is equivalent to User ID.

Input

Input Parameter

Required/Optional

Description

Example

User IDs

Required

The IDs of the users to return details. User IDs can be obtained using the List Users command.

JSON
[ "U0***V" ] 

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ok": true,
        "user": {
            "id": "U***V",
            "team_id": "T0***7N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Standard Time",
            "tz_offset": -28800,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_emoji_display_info": [],
                "status_expiration": 0,
                "avatar_hash": "***",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "status_text_canonical": "",
                "team": "***"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.[*].users in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
{
            "id": "U***V",
            "team_id": "T0***7N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Standard Time",
            "tz_offset": -28800,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_emoji_display_info": [],
                "status_expiration": 0,
                "avatar_hash": "***",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "status_text_canonical": "",
                "team": "***"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "UserIDs": [
        "U***V"
    ],
    "UserNames": [
        "***"
    ],
    "IsBots": [
        false
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

team_id

*****

name

sysint

deleted

FALSE

color

9f69e7

real_name

sysint

tz

America/Los_Angeles

tz_label

Pacific Standard Time

tz_offset

-28800

profile

{'title': '', 'phone': '', 'skype': '', 'real_name': 'sysint', 'real_name_normalized': 'sysint', 'display_name': '', 'display_name_normalized': '', 'fields': None, 'status_text': '', 'status_emoji': '', 'status_emoji_display_info': [], 'status_expiration': 0, 'avatar_hash': 'gd5a1c3bb464', 'image_24': 'https://*****.com*****.png', 'image_32': 'https://*****.com*****.png', 'image_48': 'https://*****.com*****.png', 'image_72': 'https://*****.com*****.png', 'image_192': 'https://*****.com*****.png', 'image_512': 'https://*****.com*****.png', 'status_text_canonical': '', 'team': '*****'}

is_admin

TRUE

is_owner

TRUE

is_primary_owner

TRUE

is_restricted

FALSE

is_ultra_restricted

FALSE

is_bot

FALSE

is_app_user

FALSE

updated

1603889636

is_email_confirmed

TRUE

who_can_share_contact_card

EVERYONE

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get User Details failed. An error occurred when calling the Get User Details operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: User ID Not Found.

Error Sample Data

Get User Details failed. An error occurred when calling the Get User Details operation.

Status Code: 200.

Message: OK: False, Error: User ID Not Found.

Invite Users To Channel

Invites specified users to a channel.

READER NOTE

Channel IDs and User IDs are required parameters to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

  • Run the List Users command to obtain User ID. User IDs can be found the the returned raw data at the path $.members[*].id.

Please note that the API APP connection used for the command must be a member of the specified channel.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID of the channel to invite the users to. Channel IDs can be obtained using the List Channels command.

C0***Y

User IDs

Required

The IDs of the users to invite to the specified channel. User IDs can be obtained using the List Users command.

[ "U***5" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "channel": {
        "id": "C***2",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636865987,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U***L",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": []
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channel in API returned JSON. D3 also enriches the context data from the original Slack API response by adding the UserIDs field to indicate the input User IDs.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
{
    "id": "C0***2",
    "name": "test2021***",
    "is_channel": true,
    "is_group": false,
    "is_im": false,
    "is_mpim": false,
    "is_private": false,
    "created": 1636865987,
    "is_archived": false,
    "is_general": false,
    "unlinked": 0,
    "name_normalized": "test2021**",
    "is_shared": false,
    "is_org_shared": false,
    "is_pending_ext_shared": false,
    "pending_shared": [],
    "parent_conversation": null,
    "creator": "U**L",
    "is_ext_shared": false,
    "shared_team_ids": [
        "T0***N"
    ],
    "pending_connected_team_ids": [],
    "is_member": true,
    "last_read": "0000000000.000000",
    "topic": {
        "value": "",
        "creator": "",
        "last_set": 0
    },
    "purpose": {
        "value": "",
        "creator": "",
        "last_set": 0
    },
    "previous_names": [],
    "UserIDs": [
        "U***5"
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ChannelID": "C***2",
    "UserIDs": [
        "U0**5"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

C0**2

name

test2021**

is_channel

True

is_group

False

is_im

False

is_mpim

False

is_private

False

created

1636865987

is_archived

False

is_general

False

unlinked

0

name_normalized

test20211***

is_shared

False

is_org_shared

False

is_pending_ext_shared

False

pending_shared

[]

parent_conversation

None

creator

U0***L

is_ext_shared

False

shared_team_ids

T0***N

pending_connected_team_ids

[]

is_member

True

last_read

0000000000.000000

topic

{'value': '', 'creator': '', 'last_set': 0}

purpose

{'value': '', 'creator': '', 'last_set': 0}

previous_names

[]

UserIDs

U0***5

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Invite Users To Channel failed. An error occurred when calling the Invite Users To Channel operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Invite Users To Channel failed. An error occurred when calling the Get User Details operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Join Channel

Joins an existing conversation.

READER NOTE

Channel ID is a required parameter to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id

Please note:

  • Same account can only join the same channel once. If you see a warning: already_in_channel in D3 SOAR, please check if you are using the same connection.

  • Other than checking from Slack UI, users can check whether the channels are private by running List Channels command. You can find related information in Raw Data>find the Channel ID you want to use>find "is private" key under that id>false means it’s not a private channel; true means it’s a private channel.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID of the channel to join. Channel IDs can be obtained using the List Channels command. Note: Private channels cannot be joined with this command.

C0***W

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "channel": {
        "id": "C0***Y",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636496508,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U0***X",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
    },
    "warning": "already_in_channel",
    "response_metadata": {
        "warnings": [
            "already_in_channel"
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ChannelName": "test2021***"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok

True

channel

{'id': 'C0***Y', 'name': 'test2021***', 'is_channel': True, 'is_group': False, 'is_im': False, 'is_mpim': False, 'is_private': False, 'created': 1636496508, 'is_archived': False, 'is_general': False, 'unlinked': 0, 'name_normalized': 'test2021***', 'is_shared': False, 'is_org_shared': False, 'is_pending_ext_shared': False, 'pending_shared': [], 'parent_conversation': None, 'creator': 'U0***X', 'is_ext_shared': False, 'shared_team_ids': ['T0***7N'], 'pending_connected_team_ids': [], 'is_member': True, 'topic': {'value': '', 'creator': '', 'last_set': 0}, 'purpose': {'value': '', 'creator': '', 'last_set': 0}, 'previous_names': [], 'priority': 0}

warning

already_in_channel

response_metadata

{'warnings': ['already_in_channel']}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Join Channel failed. An error occurred when calling the Join Channel operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Join Channel failed. An error occurred when calling the Join Channel operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

List Channel Members

Retrieves members from a specified channel.

READER NOTE

Channel ID is a required parameter to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID of the channel to list members from. Channel IDs can be obtained using the List Channels command.

C0***Y

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "members": [
        "U0***X",
        "U0***L"
    ],
    "response_metadata": {
        "next_cursor": ""
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "UserIDs": [
        "U02***X",
        "U0***L"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok

True

members

  • U0***X

  • U0***L

response_metadata

{'next_cursor': ''}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Channel Members failed. An error occurred when calling the List Channel Members operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

List Channel Members failed. An error occurred when calling the List Channel Members operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

List Channels

Lists all Slack channels of specified types.

READER NOTE

If the input value for the Types parameter is public_channel, private_channel, all public and private channels will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Types

Optional

A comma-separated list of the channel types to filter results. The types are:

  • public_channel,

  • private_channel,

  • mpim,

  • im

By default, the value is public_channel.

public_channel,private_channel

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "channels": [
        {
            "id": "C0***B",
            "name": "***",
            "is_channel": true,
            "is_group": false,
            "is_im": false,
            "created": 1590789443,
            "is_archived": false,
            "is_general": false,
            "unlinked": 0,
            "name_normalized": "***",
            "is_shared": false,
            "parent_conversation": null,
            "creator": "U0***V",
            "is_ext_shared": false,
            "is_org_shared": false,
            "shared_team_ids": [
                "T0***N"
            ],
            "pending_shared": [],
            "pending_connected_team_ids": [],
            "is_pending_ext_shared": false,
            "is_member": false,
            "is_private": false,
            "is_mpim": false,
            "topic": {
                "value": "",
                "creator": "",
                "last_set": 0
            },
            "purpose": {
                "value": "",
                "creator": "",
                "last_set": 0
            },
            "previous_names": [],
            "num_members": 6
        }
    ],
    "response_metadata": {
        "next_cursor": ""
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channels in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": "C0***B",
        "name": "***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "created": 1590789443,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "***",
        "is_shared": false,
        "parent_conversation": null,
        "creator": "U0***V",
        "is_ext_shared": false,
        "is_org_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_shared": [],
        "pending_connected_team_ids": [],
        "is_pending_ext_shared": false,
        "is_member": false,
        "is_private": false,
        "is_mpim": false,
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "num_members": 6
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ChannelIDs": [
        "C0***1"
    ],
    "ChannelNames": [
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

C0***B

NAME

***

IS_CHANNEL

TRUE

IS_GROUP

FALSE

IS_IM

FALSE

CREATED

1590789443

IS_ARCHIVED

FALSE

IS_GENERAL

FALSE

UNLINKED

0

NAME_NORMALIZED

***

IS_SHARED

FALSE

PARENT_CONVERSATION

None

CREATOR

U***V

IS_EXT_SHARED

FALSE

IS_ORG_SHARED

FALSE

SHARED_TEAM_IDS

['T***N']

PENDING_SHARED

[]

PENDING_CONNECTED_TEAM_IDS

[]

IS_PENDING_EXT_SHARED

FALSE

IS_MEMBER

FALSE

IS_PRIVATE

FALSE

IS_MPIM

FALSE

TOPIC

{'value': '', 'creator': '', 'last_set': 0}

PURPOSE

{'value': '', 'creator': '', 'last_set': 0}

PREVIOUS_NAMES

[]

NUM_MEMBERS

6

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Channels failed. An error occurred when calling the List Channels operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Invalid types.

Error Sample Data

List Channels failed. An error occurred when calling the List Channels operation.

Status Code: 200.

Message: OK: False, Error: Invalid types.

List Users

Lists all users in a Slack team.

READER NOTE

  • If no input parameters are defined, the command will return up to 1,000 users without filtering by role.

  • The Limit input parameter sets the maximum number of users to return. The default value is 1,000, but you may change it to any value (greater or less than 1,000).

Input

Input Parameter

Required/Optional

Description

Example

Role

Optional

The role of the users to list.

Workspace Admin

Limit

Optional

The maximum number of records to return. If the input value is invalid (i.e., negative number, 0, characters or symbols) or the parameter is not defined, the default value of 1,000 will be used.

2

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "members": [
        {
            "id": "U***V",
            "team_id": "T0***N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Daylight Time",
            "tz_offset": -25200,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_expiration": 0,
                "avatar_hash": "gd***4",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "image_32": "https://secure.gravatar.com/avatar/**.jpg?s=***",
                "status_text_canonical": "",
                "team": "T0***N"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
        }
    ],
    "cache_ts": **,
    "response_metadata": {
        "next_cursor": ""
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "UserIDs": [
        "U0***V"
    ],
    "UserNames": [
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Users failed. An error occurred when calling the List Users operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Missing scope.

Error Sample Data

List Users failed. An error occurred when calling the List Users operation.

Status Code: 200.

Message: OK: False, Error: Missing scope.

Remove Users From Channel

Removes the specified users from a channel.

READER NOTE

User IDs and Channel ID are required parameters to run this command.

  • Run the List Users command to obtain User IDs. User IDs can be found the the returned raw data at the path $.members[*].id.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id. List Channel Members is also suggested to get the member in the specific channel, in order to make sure the user you want to remove is in the channel.

Note that the API app connection used for the command must be a member of the specified channel.

Input

Input Parameter

Required/Optional

Description

Example

User IDs

Required

The IDs of the users to remove from the specified channel. User IDs can be obtained using the List Users command.

JSON
[ "U0***5" ] 

Channel ID

Required

The ID of the channel to remove the specified users from. Channel IDs can be obtained using the List Channels command.

C0***Y

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ok": true
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 enriches the context data from the original Slack API response by adding the ChannelID field to indicate the input Channel ID, adding the UserID field to indicate the input User IDs, and adding the ActionResult field to indicate whether the users have been removed from specified channel successfully.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
[
    {
        "ChannelID": "C0***2",
        "UserID": "U0***5",
        "ActionResult": "Removed from the channel successfully"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ChannelID": "C0***2",
    "UserIDs": [
        "U0***5"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CHANNELID

USERID

ACTIONRESULT

C0***2

U0***5

Removed from the channel successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Users From Channel failed. An error occurred when calling the Remove Users From Channel operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: User ID Not Found.

Error Sample Data

Remove Users From Channel failed. An error occurred when calling the Remove Users From Channel operation.

Status Code: 200.

Message: OK: False, Error: User ID Not Found.

Send Files

Shares file(s) on the specified channel(s).

READER NOTE

The parameter Channel IDs is required to run this command.

  • Run the List Channels command to obtain Channel IDs. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Please note that the API app connection used for the command must be a member of the specified channel.

File ID and File Source

It is not recommended to use the Test Command feature with the Send Files command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  2. Click on Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Click on the Test tab.

  5. Input the required information for the parameters.

  6. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

Channel IDs

Required

The IDs or names of the channels to send files to. Channel ID can be obtained using the List Channels command.

C0***2

D3 File IDs

Required

The file path of the file source. The options for file paths are:

  • Incident Attachment: Incident.file.file ID

  • Playbook File: Task output

  • Artifact File: Incident.Events.file.file ID

[ "20" ]

D3 File Source

Required

The file source of the file to send. The options for file sources are:

  • Incident Attachment File: Manually uploaded file from Incident

  • Playbook File: Output from another Task

  • Artifact File: Ingested Artifact in an Event

Playbook File

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ok": true,
        "file": {
            "id": "F0***V",
            "created": 1636867965,
            "timestamp": 1636867965,
            "name": "Blue Jays.png",
            "title": "Blue Jays",
            "mimetype": "image/png",
            "filetype": "png",
            "pretty_type": "PNG",
            "user": "U0***L",
            "editable": false,
            "size": 3840,
            "mode": "hosted",
            "is_external": false,
            "external_type": "",
            "is_public": true,
            "public_url_shared": false,
            "display_as_bot": false,
            "username": "",
            "url_private": "https://files.slack.com/files-pri/***.png",
            "url_private_download": "https://files.slack.com/files-pri/***/download/***.png",
            "media_display_type": "unknown",
            "thumb_360_w": 225,
            "thumb_360_h": 225,
            "thumb_160": "https://files.slack.com/files-tmb/***/***.png",
            "original_w": 225,
            "original_h": 225,
            "thumb_tiny": "***+**/***/***/***/**//2Q==",
            "permalink": "https://d3cyber.slack.com/files/**/**/**.png",
            "permalink_public": "https://slack-files.com/*-**-**",
            "comments_count": 0,
            "is_starred": false,
            "shares": {
                "public": {
                    "C***2": [
                        {
                            "reply_users": [],
                            "reply_users_count": 0,
                            "reply_count": 0,
                            "ts": "***",
                            "channel_name": "test2021**",
                            "team_id": "T***N",
                            "share_user_id": "U***L"
                        }
                    ]
                }
            },
            "channels": [
                "C0***"
            ],
            "groups": [],
            "ims": [],
            "has_rich_preview": false
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.[*].file in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

JSON
{
            "id": "F0***V",
            "created": 1636867965,
            "timestamp": 1636867965,
            "name": "Blue Jays.png",
            "title": "Blue Jays",
            "mimetype": "image/png",
            "filetype": "png",
            "pretty_type": "PNG",
            "user": "U0***L",
            "editable": false,
            "size": 3840,
            "mode": "hosted",
            "is_external": false,
            "external_type": "",
            "is_public": true,
            "public_url_shared": false,
            "display_as_bot": false,
            "username": "",
            "url_private": "https://files.slack.com/files-pri/***.png",
            "url_private_download": "https://files.slack.com/files-pri/***/download/***.png",
            "media_display_type": "unknown",
            "thumb_360_w": 225,
            "thumb_360_h": 225,
            "thumb_160": "https://files.slack.com/files-tmb/***/***.png",
            "original_w": 225,
            "original_h": 225,
            "thumb_tiny": "***+**/***/***/***/**//2Q==",
            "permalink": "https://d3cyber.slack.com/files/**/**/**.png",
            "permalink_public": "https://slack-files.com/*-**-**",
            "comments_count": 0,
            "is_starred": false,
            "shares": {
                "public": {
                    "C***2": [
                        {
                            "reply_users": [],
                            "reply_users_count": 0,
                            "reply_count": 0,
                            "ts": "***",
                            "channel_name": "test2021**",
                            "team_id": "T***N",
                            "share_user_id": "U***L"
                        }
                    ]
                }
            },
            "channels": [
                "C0***"
            ],
            "groups": [],
            "ims": [],
            "has_rich_preview": false
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "FileIDs": [
        "F0***V"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

F***V

CREATED

1636867965

TIMESTAMP

1636867965

NAME

Blue Jays.png

TITLE

Blue Jays

MIMETYPE

image/png

FILETYPE

png

PRETTY_TYPE

PNG

USER

U***L

EDITABLE

FALSE

SIZE

3840

MODE

hosted

IS_EXTERNAL

FALSE

EXTERNAL_TYPE

IS_PUBLIC

TRUE

PUBLIC_URL_SHARED

FALSE

DISPLAY_AS_BOT

FALSE

USERNAME

URL_PRIVATE

URL_PRIVATE_DOWNLOAD

MEDIA_DISPLAY_TYPE

unknown

THUMB_64

https://*****.png

THUMB_80

https://*****.png

THUMB_360

https://*****.png

THUMB_360_W

225

THUMB_360_H

225

THUMB_160

https://*****.png

ORIGINAL_W

225

ORIGINAL_H

225

THUMB_TINY

PERMALINK

https://***.slack.com/files/***/**/***.png

PERMALINK_PUBLIC

https://*****

COMMENTS_COUNT

0

IS_STARRED

FALSE

SHARES

{'public': {'***': [{'reply_users': [], 'reply_users_count': 0, 'reply_count': 0, 'ts': '***', 'channel_name': 'test20211***', 'team_id': '***', 'share_user_id': '***'}]}}

CHANNELS

['***']

GROUPS

[]

IMS

[]

HAS_RICH_PREVIEW

FALSE

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Files failed. An error occurred when calling the Send Files operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Send Files failed. An error occurred when calling the Send Files operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Send Messages

Sends messages to a specified channel or user.

READER NOTE

See Additional Configurations and Setups.

Channel or User ID is a required parameter to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

  • Run the List Users command to obtain User ID. User IDs can be found the the returned raw data at the path $.members[*].id.

The input parameter Message Thread ID is used for creating reply messages.

  • Run the Send Messages command to obtain Message UID. Message UIDs can be found in the returned raw data at the path $.message.ts. This value is the ID of the parent message you just sent. Input the "ts" value to the Message Thread ID parameter and the desired reply message in the Messages field, along with the same Channel ID. Run this command again to reply to the parent message.

Please note that the API app connection used for the command must be a member of the specified channel.

Input

Input Parameter

Required/Optional

Description

Example

Channel ID

Required

The ID or name of the channel to send the message(s) to. Channel IDs can be obtained using the List Channels command.

*****

Messages

Required

The array of messages to send.

JSON
[ "Hello World", "Awesome Day" ] 

Message Thread ID

Optional

The option to make this message a reply by specifying timestamp (ts) value of the message to reply to. Avoid using a reply message's value, use its parent message instead. Message timestamps can be obtained using the Send Messages command.

*****.*****

Message Blocks

Optional

Defines the JSON-based array of structured blocks to be sent with the message.

JSON
[
    {
        "type": "section",
        "text": {
            "type": "mrkdwn",
            "text": "`inline`, _italic_, *bold*, ~strike~, ```multi-line\nline2```,URL <http://example.com/>,😄"
        }
    }
]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "ok": true,
        "channel": "C0***2",
        "ts": "***",
        "message": {
            "bot_id": "B0***H",
            "type": "message",
            "text": "Hello World",
            "user": "U0***L",
            "ts": "***",
            "team": "T***N",
            "bot_profile": {
                "id": "B0**H",
                "app_id": "A0***A",
                "name": "NEW_APP***",
                "icons": {
                    "image_36": "https://*****.com/*****.png"
                },
                "deleted": false,
                "updated": 1636502594,
                "team_id": "T0***N"
            }
        }
    },
    {
        "ok": true,
        "channel": "C0***2",
        "ts": "***",
        "message": {
            "bot_id": "B0***H",
            "type": "message",
            "text": "Awesome Day",
            "user": "U0***L",
            "ts": "***",
            "team": "T0***N",
            "bot_profile": {
                "id": "B0***H",
                "app_id": "A0***A",
                "name": "NEW_APP***",
                "icons": {
                    "image_36": "https://*****.com/*****.png",
                },
                "deleted": false,
                "updated": 1636502594,
                "team_id": "T0***N"
            }
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "ChannelID": ["C02M27F9WJ2" ],
  "TimeStamp": ["1684864181.974299" ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

bot_id

B***H

type

message

text

Hello World

user

U***L

ts

***

team

T***N

bot_profile

{'id': 'B***H', 'app_id': 'A0***A', 'name': 'NEW_APP***', 'icons': {'image_36': 'https://*****.com/*****.png', '***': 'https://*****.com/*****.png', '***': 'https://*****.com/*****.png'}, 'deleted': False, 'updated': 1636502594, 'team_id': 'T0***N'}

ChannelID

C***2

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Messages failed. An error occurred when calling the Send Messages operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Send Messages failed. An error occurred when calling the Send Messages operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Send Interactivity

Sends an interactivity message to the specified channel.

READER NOTE

See Additional Configurations and Setups.

Channel or User ID is a required parameter to run this command.

  • Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

  • Run the List Users command to obtain User ID. User IDs can be found the the returned raw data at the path $.members[*].id.

Message Thread ID is an optional parameter to run this command.

  • Run the Send Interactivity or Send Messages command to obtain Message Thread ID. For both Send interactivity and Send messages, Message Thread IDs can be found in the returned raw data at the path $.ts. Re-running this command with the $.ts value obtained in the initial run will result in a reply to the parent message.

Please note that the API app connection used for the command must be a member of the specified channel.

Input

Input Parameter

Required/Optional

Description

Example

Channel or User ID

Required

The ID or name of the channel to which messages are sent. Channel ID can be obtained using the List Channels command. Alternatively, a message can be sent directly to a user by specifying their User ID. User ID can be obtained using the List Users command.

*****

Message Thread ID

Optional

The timestamp of a parent message to reply. These parent message timestamps can be obtained by running the Send Interactivity or the Send Messages command.

*****.*****

Blocks

Optional

The list of JSON objects that define the Slack message blocks (visual components used to create app layouts). Each message can contain a maximum of 50 blocks. It is not necessary to specify a block_id for each block, as D3 will automatically generate one.

JSON
[
    {
        "type": "section",
        "text": {
            "type": "mrkdwn",
            "text": "*Your task response requires you to complete the below form and submit your choices.*"
        }
    },
    {
        "type": "divider"
    },
    {
        "type": "section",
        "text": {
            "type": "mrkdwn",
            "text": "*Choose one or more actions to submit:*"
        }
    },
    {
        "type": "actions",
        "block_id": "actions1",
        "elements": [
            {
                "type": "checkboxes",
                "options": [
                    {
                        "text": {
                            "type": "mrkdwn",
                            "text": "Activity Confirmed"
                        },
                        "description": {
                            "type": "mrkdwn",
                            "text": "Add your detailed descriptioin here for this option"
                        },
                        "value": "value-0"
                    },
                    {
                        "text": {
                            "type": "mrkdwn",
                            "text": "Add User to Watchlist"
                        },
                        "description": {
                            "type": "mrkdwn",
                            "text": "this is mrkdwn text descriptioin"
                        },
                        "value": "value-1"
                    },
                    {
                        "text": {
                            "type": "mrkdwn",
                            "text": "Block IP Address on Firewall"
                        },
                        "description": {
                            "type": "mrkdwn",
                            "text": "this is mrkdwn text descriptioin"
                        },
                        "value": "value-2"
                    },
                    {
                        "text": {
                            "type": "mrkdwn",
                            "text": "Lock The User's Account"
                        },
                        "description": {
                            "type": "mrkdwn",
                            "text": "this is mrkdwn text descriptioin"
                        },
                        "value": "value-3"
                    }
                ]
            }
        ]
    },
    {
        "type": "divider"
    },
    {
        "type": "section",
        "text": {
            "type": "mrkdwn",
            "text": "*Pick one action to submit:*"
        }
    },
    {
        "type": "actions",
        "elements": [
            {
                "type": "radio_buttons",
                "options": [
                    {
                        "text": {
                            "type": "plain_text",
                            "text": "Activity Confirmed",
                            "emoji": true
                        },
                        "value": "option-0"
                    },
                    {
                        "text": {
                            "type": "plain_text",
                            "text": "Add User to Watchlist",
                            "emoji": true
                        },
                        "value": "option-1"
                    },
                    {
                        "text": {
                            "type": "plain_text",
                            "text": "Block IP Address on Firewall",
                            "emoji": true
                        },
                        "value": "option-2"
                    },
                    {
                        "text": {
                            "type": "plain_text",
                            "text": "Lock The User's Account",
                            "emoji": true
                        },
                        "value": "option-3"
                    }
                ]
            }
        ]
    },
    {
        "type": "divider"
    },
    {
        "type": "input",
        "element": {
            "type": "plain_text_input",
            "multiline": true,
            "action_id": "plain_text_input-action"
        },
        "label": {
            "type": "plain_text",
            "text": "Leave your comment below:",
            "emoji": true
        }
    }
]

Wait for Response

Optional

Whether to wait for an interactive response from the Slack channel after the message is sent. The options are:

  • True

  • False

This parameter is used exclusively when the command is part of a playbook task. When set to True, a submit button will be automatically added to the message blocks.

True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "ok": true,
    "channel": "*****",
    "ts": "*****.*****",
    "message": {
        "user": "*****",
        "type": "message",
        "ts": "*****.*****",
        "bot_id": "*****",
        "app_id": "*****",
        "text": "Use the below button to submit your response. *Please note that once submitted, later submission(s) won't be re-triggered in D3's playbook task.* Submit your response button, with interactive elements",
        "team": "*****",
        "bot_profile": {
            "id": "*****",
            "app_id": "*****",
            "name": "TaskResponse",
            "icons": {
                "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png",
                "image_48": "https://a.slack-edge.com/80588/img/plugins/app/bot_48.png",
                "image_72": "https://a.slack-edge.com/80588/img/plugins/app/service_72.png"
            },
            "deleted": false,
            "updated": 1730834793,
            "team_id": "*****"
        },
        "blocks": [
            {
                "type": "input",
                "block_id": "*****",
                "label": {
                    "type": "plain_text",
                    "text": "Your comment",
                    "emoji": true
                },
                "optional": false,
                "dispatch_action": false,
                "element": {
                    "type": "plain_text_input",
                    "action_id": "plain_text_input-action",
                    "multiline": true,
                    "dispatch_action_config": {
                        "trigger_actions_on": [
                            "on_enter_pressed"
                        ]
                    }
                }
            },
            {
                "type": "divider",
                "block_id": "*****/"
            },
            {
                "type": "section",
                "block_id": "*****",
                "text": {
                    "type": "mrkdwn",
                    "text": "Use the below button to submit your response. *Please note that once submitted, later submission(s) won't be re-triggered in D3's playbook task.*",
                    "verbatim": false
                }
            },
            {
                "type": "actions",
                "block_id": "*****",
                "elements": [
                    {
                        "type": "button",
                        "action_id": "*****",
                        "text": {
                            "type": "plain_text",
                            "text": "Submit your response",
                            "emoji": true
                        },
                        "style": "primary",
                        "value": "TaskResponseSubmit"
                    }
                ]
            }
        ]
    },
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "ChannelID": "*****",
  "MessageTimestamp": "*****.*****"}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

status

B***H

channel

*****

ts

*****.*****

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Interactivity failed. An error occurred when calling the Send Messages operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Send Interactivity failed. An error occurred when calling the Send Interactivity operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

READER NOTE

If the connection uses the OAuth2.0 method for authentication, it is recommended to enable the Connection Health Check option (refer to step 3i of Configuring D3 SOAR to Work with Slack) to alert you when the token expires. You can go to the Slack API portal (refer to step 5 of Configuring Slack to Work with D3 SOAR Method 2 for instructions) and refresh the token for OAuth 2.0 connections.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. An error occurred when calling the Test Connection operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.

Status Code: 200.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: OK: False, Error: Missing Scope.

Error Sample Data

Test Connection failed. An error occurred when calling the Test Connection operation.

Status Code: 200.

Message: OK: False, Error: Missing Scope.

FAQ

Question1: Why doesn’t my display username in a channel show up as my login username?

Answer: The Slack display username will be your App name when you build connections. It will have an APP tag after the username. You can refer to Configuring Slack to Work with D3 SOAR step 3 for instructions on selecting apps when building a connection. The App names may appear on the Slack user interface after running the following commands: Create Channel, Join Channel, Send Files and Send Messages.

  • For example, after running the Join Channel command, you might see.

Since API_OAuth is the app you used in your connection, you have joined the #general channel with the username API_OAuth.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.