Slack

LAST UPDATED: 01/13/2023

Overview

Slack is a channel-based messaging platform that brings all of a team's communication into one place.

D3 SOAR is providing REST operations to function with Slack.

For example, you can list all channels and users, create a new channel or join an existing channel, invite users to join channels, or remove users from a channel, furthermore, you can send messages or get a thread of specific reply messages.

Slack is available for use in:

D3 SOAR	V12.7.83.0+
Category	Email Messaging
Deployment Options	Option II, Option IV

Known Limitations

The Slack platform features and APIs rely on rate limits to help provide a predictably pleasant experience for users. The requests to the Web API are evaluated per method, per workspace. Rate limit windows are per minute.

Please refer to Great rate limits for Web API methods from the Slack API documentation for details.

Connection

To connect Slack from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Default
Authentication Type	The type of authentication used for the integration connection. The two options are OAuth 2.0 Authorization code and User OAuth Token (API Token). If you select the OAuth 2.0 Authorization code, please ensure that your app(s) must have enabled the Token Rotation in the Slack API console.	User OAuth Token (API Token)
Authentication Type: User OAuth Token (API Token)
API Token	The API token to authenticate the connection.	xoxp-***-599184199-992764211-**
Authentication Type: OAuth 2.0 Authorization Code
Client ID	The client ID for the OAuth 2.0 authentication.	1160**060.2708**588
Client Secret	The client secret for the OAuth 2.0 authentication.	d2e1**90532**3576
Scope	The scopes to enable for the connection.	users:read,channels:manage,chat:write,files:write,channels:read,channels:join,groups:read,groups:write
Authorization Code	The authorization code for the OAuth2.0 authentication. Click the "Get Authorization" button on the Connection page to automatically generate an authorization code.	**************************.*******************************************************
Callback URL	The callback URL is used for OAuth2.0 with the grant type of authorization code. Add this URL to your app’s Redirect URIs. In the Slack API console, navigate to Your App > OAuth & Permissions > Redirect URLs. This parameter is read-only and auto-generated.	https://D3PlatformURL/VSOC/Auth2Callback.aspx
Refresh Token	The refresh token for authentication with the grant type of authorization code. Click the "Get Refresh Token" button on the Connection page to automatically generate a refresh token. This parameter is read-only and auto-generated.	xoxe-1-******************************************************************************************************************

Permission Requirements

Each endpoint in the Slack API requires a certain permission scope. The following scopes are required scopes for each command in this integration:

Please refer to the Known Limitations section for Rate Limits details. Refer to Web API methods to get Slack required scopes.

Command	Required Permission
Archive Channel	Scopes: channels:write, groups:write Rate Limits: Tier 2
Create Channel	Scopes: channels:write, groups:write, im:write, mpim:write Rate Limits: Tier 2
Get Reply Messages	Scopes: channels:history, groups:history, im:history, mpim:history Rate Limits: Tier 3
Get User Details	Scopes: users:read Rate Limits: Tier 4
Invite Users To Channel	Scopes: channels:write, groups:write, im:write, mpim:write Rate Limits: Tier 3
Join Channel	Scopes: channels:write Rate Limits: Tier 3
List Channel Members	Scopes: channels:read, groups:read, im:read, mpim:read Rate Limits: Tier 4
List Channels	Scopes: channels:read, groups:read, im:read, mpim:read Rate Limits: Tier 2
List Users	Scopes: users:read Rate Limits: Tier 2
Remove Users From Channel	Scopes: channels:write, groups:write, im:write, mpim:write Rate Limits: Tier 3
Send Files	Scopes: files:write, files:write:user Rate Limits: Tier 2
Send Messages	Scopes: chat:write, chat:write:user, chat:write:bot Rate Limits: Special (generally allows posting one message per second per channel)
Test Connection	Scopes: users:read Rate Limits: Tier 2

Configuring Slack to Work with D3 SOAR

Method 1

Authenticating with an OAuth 2.0 Authorization Code:

Log in to the Slack portal at https://slack.com.
Then launch to your workspace.
Go to the Slack API Console at https://api.slack.com/apps?new_app=1&ref=bolt_start_hub. Under Your Apps, click on the app you wish to configure.
Click on App Manifest under Features found on the left sidebar menu. Ensure the token_rotation_enabled field is set to true. This enables the refresh token to rotate the access token. Click Save Changes.
Click on Basic Information under Settings of the left sidebar menu. Under the App Credentials section, copy and save the Client ID and Client Secret. You can revisit this page to view the Client ID and Client Secret again by clicking Show.
Click on OAuth & Permissions on the left sidebar menu, then Add New Redirect URL under Redirect URLs.
The redirect URL can be obtained from the connection page in D3 SOAR. Input the redirect URL then click Add. Click Save URLs to save the configuration.
Under the Scopes section, add the following scopes required for a connection with D3 SOAR: channels:read, channels:manage, chat:write, files:write, users:read, groups:history.

Method 2

Authenticating with a User OAuth Token (API token):

Log in to the Slack portal at https://slack.com.
Then launch to your workspace.
Go to the Slack API Console at https://api.slack.com/apps?new_app=1&ref=bolt_start_hub. Under Your Apps, click on the app you wish to configure.
Click on App Manifest under Features found on the left sidebar menu. Ensure the token_rotation_enabled field is set to false. If this field is set to false, a Refresh Token will be provided instead of a User OAuth Token in the next step.
Click on OAuth & Permissions under Features on the left sidebar menu. Copy and save the OAuth Token. You can revisit this page again to view the OAuth Token.

Configuring D3 SOAR to Work with Slack

Log in to D3 SOAR.
Find the Slack integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Slack in the search box to find the integration, then click it to select it.
4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Slack.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Configure User Permissions: Defines which users have access to the connection.
7. Active: Check the tick box to ensure the connection is available for use.
8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Auth Type 1. Select the Authentication Type: OAuth 2.0 Authorization Code
    1. Copy the Client ID from the Slack platform (Refer to Configuring Slack to Work with D3 SOAR Method 1 of step 5).
    2. Copy the Client Secret from the Slack platform (Refer to Configuring Slack to Work with D3 SOAR Method 1 of step 5).
    3. The default value of the Scope is users:read,channels:manage,chat:write,files:write,channels:read,channels:join,groups:read,groups:write. Please refer to Configuring Slack to Work with D3 SOAR Method 1 step 8 for how to set up scopes on the Slack API platform and check the Permission Requirements for the scopes that are needed.
    4. Copy D3 Callback URL, and paste it into the Slack Redirect URLs section. Please refer to Configuring Slack to Work with D3 SOAR Method 1 step 6 to 7 for setups.
    5. Click the Get Authorization button. Confirm if the scopes are correct and then click the Allow button.
    6. It does not need to copy the Authorization Code on the redirect page. Please follow the instructions. Closing this window will not affect the OAuth authentication procedure.
    7. Click the Get Refresh Token button, and the Refresh Token and Authorization Code will be set automatically.
  2. Auth Type 2. Select the Authentication Type: User OAuth Token (API Token)
    1. Copy the OAuth Token from the Slack platform and set it to the input Field API Token. (Refer to Configuring Slack to Work with D3 SOAR Method 2 step 5).
9. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

Slack includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Slack API, please refer to the Installing with OAuth and Web API methods.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Slack to Work with D3 SOAR for details.

Slack customized error response

The error response of slack API requests are packed in the API response with HTTP status code 200. The command execution success/failure will be indicated by the key “OK” in returned JSON data.

The failed Slack API response format looks like this:

Please refer to Using the Slack Web API>Evaluating responses for more detailed explanations.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Archive Channel

Archives a public or a private channel. The archived channel’s message history will be retained and searchable.

READER NOTE

Channel ID is a required parameter to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Please note that the #general channel cannot be archived by using this command. The #general channel can’t be archived, deleted, or converted to a private channel. Archive #general channel will result in an error: “can't archive general” in D3 SOAR.

Please refer to Slack Archive or delete a channel for more details.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID of the channel to archive. Channel IDs can be obtained using the List Channels command.	C0***HY

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "channelID": "C0***Y",
    "actionResult": "Closed the channel successfully"
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

channelID	C0***Y
actionResult	Closed the channel successfully

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Archive Channel failed. An error occurred when calling the Archive Channel operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Archive Channel failed. An error occurred when calling the Archive Channel operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Create Channel

Creates a new channel based on the provided name.

READER NOTE

You will automatically join the created channel. The display username depends on the app you used for your connection. See the FAQ for more details.

Input

Input Parameter	Required/Optional	Description	Example
Channel Name	Required	The name of the channel. Note: Channel names can only contain lowercase letters, numbers, hyphens, and underscores, and must be 80 characters or less.	test2021***a
Is Private	Optional	The option to set the channel as private.	True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "channel": {
        "id": "C0***8",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636861057,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U02LUMZTMUL",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T01***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
    }
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channel in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

{
        "id": "C0***8",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636861057,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U02LUMZTMUL",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T01***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ChannelID": "C0***8"
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id	C0***8
name	test2021***
is_channel	True
is_group	False
is_im	False
is_mpim	False
is_private	False
created	1636861057
is_archived	False
is_general	False
unlinked	0
name_normalized	test20211***
is_shared	False
is_org_shared	False
is_pending_ext_shared	False
pending_shared	[]
parent_conversation	None
creator	U0***UL
is_ext_shared	False
shared_team_ids	T01***7N
pending_connected_team_ids	[]
is_member	True
last_read	0000000000.000000
topic	{'value': '', 'creator': '', 'last_set': 0}
purpose	{'value': '', 'creator': '', 'last_set': 0}
previous_names	[]
priority	0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Channel failed. An error occurred when calling the Create Channel operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Invalid Channel ID.

Error Sample Data

Create Channel failed. An error occurred when calling the Create Channel operation.

Status Code: 200.

Message: OK: False, Error: Invalid Channel ID.

Get Reply Messages

Retrieves a thread of messages posted to a conversation. These messages are replied to with a specified message unique identifier(Message Timestamps).

READER NOTE

Channel ID and Message UID are required parameters to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.
Run the Send Messages command to obtain Message UID. Message UIDs can be found in the returned raw data at the path $.message.ts.

Please note that the Channel ID must match to Message UID. D3 suggests you to run List Channel first to get the Channel you want to use, then use that Channel ID to run the Send Message command. Use the pair of Channel ID and Message UID to run this command.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID of the channel to retrieve reply messages from. Channel IDs can be obtained using the List Channels command.	C0***H
Message UID	Required	The unique identifier timestamp of a thread’s parent message or a message in the thread. Message UIDs can be obtained using the Send Messages command.	16*.0*0
Earliest Time	Optional	The start time of the time range to retrieve reply messages in UTC time.	2022-01-01 00:00
Latest Time	Optional	The end time of the time range to retrieve reply messages in UTC.	2022-06-01 00:00
Limit	Optional	The maximum number of records to return. If the input value is invalid (i.e., negative number, 0, characters or symbols) or the parameter is not defined, the default value of 20 will be used. The maximum input value for this field is 100; however, the recommended value is between 1 to 200.	2
Next Page	Optional	The pagination value of the parameter with the next_cursor attribute returned by a previous request's response_metadata. The “Limit” parameter specifies the maximum number of return records output. The Next Page input parameter outputs the next set of messages while confined to the defined “Limit” parameter. For example, for a given message, there are four replies. You set the “Limit” parameter to 2 so the command outputs the most recent two reply messages. The resulting output raw data has a “next_cursor” value (last JSON key-value pair of the raw data) which can be used for this parameter to run the command again to output the remaining two messages with an earlier timestamp.	bm***DAw

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "messages": [
        {
            "client_msg_id": "***-***-***-***-***",
            "type": "message",
            "text": "Start conversation.......",
            "user": "***",
            "ts": "***",
            "team": "***",
            "blocks": [
                {
                    "type": "rich_text",
                    "block_id": "***",
                    "elements": [
                        {
                            "type": "rich_text_section",
                            "elements": [
                                {
                                    "type": "text",
                                    "text": "Start conversation......."
                                }
                            ]
                        }
                    ]
                }
            ],
            "thread_ts": "***",
            "reply_count": 4,
            "reply_users_count": 2,
            "latest_reply": "1643238010.002600",
            "reply_users": [
                "***",
                "***"
            ],
            "is_locked": false,
            "subscribed": true,
            "last_read": "1643237610.001500"
        },
        {
            "client_msg_id": "***-***-***-***-***",
            "type": "message",
            "text": "Hello, I replied you again and again.",
            "user": "***",
            "ts": "**",
            "team": "***",
            "blocks": [
                {
                    "type": "rich_text",
                    "block_id": "***",
                    "elements": [
                        {
                            "type": "rich_text_section",
                            "elements": [
                                {
                                    "type": "text",
                                    "text": "Hello, I replied you again and again."
                                }
                            ]
                        }
                    ]
                }
            ],
            "thread_ts": "***",
            "parent_user_id": "***"
        }
            ],
            "thread_ts": "***",
            "parent_user_id": "***"
        }
    ],
    "has_more": true,
    "response_metadata": {
        "next_cursor": "***"
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "MessageTimestamps": [
        "1643237701.002000",
        "1643238010.002600"
    ],
    "ReplyUserIDs": [
        "***",
        "***"
    ],
    "NextPage": "bm***Aw"
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok	True
messages	{'client_msg_id': '*----', 'type': 'message', 'text': 'Start conversation.......', 'user': '', 'ts': '1643237610.001500', 'team': '', 'blocks': [{'type': 'rich_text', 'block_id': '', 'elements': [{'type': 'rich_text_section', 'elements': [{'type': 'text', 'text': 'Start conversation.......'}]}]}], 'thread_ts': '', 'reply_count': 4, 'reply_users_count': 2, 'latest_reply': '1643238010.002600', 'reply_users': ['', ''], 'is_locked': False, 'subscribed': True, 'last_read': '1643237610.001500'} {'client_msg_id': '----', 'type': 'message', 'text': 'Hello, I replied you again and again.', 'user': 'U030F3S4PUL', 'ts': '1643237701.002000', 'team': 'T014QFASG7N', 'blocks': [{'type': 'rich_text', 'block_id': '', 'elements': [{'type': 'rich_text_section', 'elements': [{'type': 'text', 'text': 'Hello, I replied you again and again.'}]}]}], 'thread_ts': '1643237610.001500', 'parent_user_id': '*'}
has_more	True
response_metadata	{'next_cursor': '***'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Reply Messages failed. An error occurred when calling the Get Reply Messages operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Get Reply Messages failed. An error occurred when calling the Get Reply Messages operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Get User Details

Retrieves detailed information about the specified users.

READER NOTE

The parameter User IDs is required to run this command.

Run the List Users command to obtain User IDs. User IDs can be found the the returned raw data at the path $.members[*].id.
When logging into Slack, the User ID of that account can be found by clicking the top right profile icon > Profile > > Copy member ID. Member ID is equivalent to User ID.

Input

Input Parameter	Required/Optional	Description	Example
User IDs	Required	The IDs of the users to return details. User IDs can be obtained using the List Users command.	[ "U0***V" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "ok": true,
        "user": {
            "id": "U***V",
            "team_id": "T0***7N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Standard Time",
            "tz_offset": -28800,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_emoji_display_info": [],
                "status_expiration": 0,
                "avatar_hash": "***",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "status_text_canonical": "",
                "team": "***"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.[*].users in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

{
            "id": "U***V",
            "team_id": "T0***7N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Standard Time",
            "tz_offset": -28800,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_emoji_display_info": [],
                "status_expiration": 0,
                "avatar_hash": "***",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "status_text_canonical": "",
                "team": "***"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "UserIDs": [
        "U***V"
    ],
    "UserNames": [
        "***"
    ],
    "IsBots": [
        false
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	TEAM_ID	NAME	DELETED	COLOR	REAL_NAME	TZ	TZ_LABEL	TZ_OFFSET	PROFILE	IS_ADMIN	IS_OWNER	IS_PRIMARY_OWNER	IS_RESTRICTED	IS_ULTRA_RESTRICTED	IS_BOT	IS_APP_USER	UPDATED	IS_EMAIL_CONFIRMED	WHO_CAN_SHARE_CONTACT_CARD
U***5V	T***N	***	False	9f69e7	***	America/Los_Angeles	Pacific Standard Time	-28800		True	True	True	False	False	False	False	1603889636	True	EVERYONE

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get User Details failed. An error occurred when calling the Get User Details operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: User ID Not Found.

Error Sample Data

Get User Details failed. An error occurred when calling the Get User Details operation.

Status Code: 200.

Message: OK: False, Error: User ID Not Found.

Invite Users To Channel

Invites specified users to a channel.

READER NOTE

Channel IDs and User IDs are required parameters to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.
Run the List Users command to obtain User ID. User IDs can be found the the returned raw data at the path $.members[*].id.

Please note that the API APP connection used for the command must be a member of the specified channel.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID of the channel to invite the users to. Channel IDs can be obtained using the List Channels command.	C0***Y
User IDs	Required	The IDs of the users to invite to the specified channel. User IDs can be obtained using the List Users command.	[ "U***5" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "channel": {
        "id": "C***2",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636865987,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U***L",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "last_read": "0000000000.000000",
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": []
    }
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channel in API returned JSON. D3 also enriches the context data from the original Slack API response by adding the UserIDs field to indicate the input User IDs.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

{
    "id": "C0***2",
    "name": "test2021***",
    "is_channel": true,
    "is_group": false,
    "is_im": false,
    "is_mpim": false,
    "is_private": false,
    "created": 1636865987,
    "is_archived": false,
    "is_general": false,
    "unlinked": 0,
    "name_normalized": "test2021**",
    "is_shared": false,
    "is_org_shared": false,
    "is_pending_ext_shared": false,
    "pending_shared": [],
    "parent_conversation": null,
    "creator": "U**L",
    "is_ext_shared": false,
    "shared_team_ids": [
        "T0***N"
    ],
    "pending_connected_team_ids": [],
    "is_member": true,
    "last_read": "0000000000.000000",
    "topic": {
        "value": "",
        "creator": "",
        "last_set": 0
    },
    "purpose": {
        "value": "",
        "creator": "",
        "last_set": 0
    },
    "previous_names": [],
    "UserIDs": [
        "U***5"
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ChannelID": "C***2",
    "UserIDs": [
        "U0**5"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id	C0**2
name	test2021**
is_channel	True
is_group	False
is_im	False
is_mpim	False
is_private	False
created	1636865987
is_archived	False
is_general	False
unlinked	0
name_normalized	test20211***
is_shared	False
is_org_shared	False
is_pending_ext_shared	False
pending_shared	[]
parent_conversation	None
creator	U0***L
is_ext_shared	False
shared_team_ids	T0***N
pending_connected_team_ids	[]
is_member	True
last_read	0000000000.000000
topic	{'value': '', 'creator': '', 'last_set': 0}
purpose	{'value': '', 'creator': '', 'last_set': 0}
previous_names	[]
UserIDs	U0***5

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Invite Users To Channel failed. An error occurred when calling the Invite Users To Channel operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Invite Users To Channel failed. An error occurred when calling the Get User Details operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Join Channel

Joins an existing conversation.

READER NOTE

Channel ID is a required parameter to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Please note:

Same account can only join the same channel once. If you see a warning: already_in_channel in D3 SOAR, please check if you are using the same connection.
Other than checking from Slack UI, users can check whether the channels are private by running List Channels command. You can find related information in Raw Data>find the Channel ID you want to use>find ”is private” key under that id>false means it’s not a private channel; true means it’s a private channel.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID of the channel to join. Channel IDs can be obtained using the List Channels command. Note: Private channels cannot be joined with this command.	C0***W

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "channel": {
        "id": "C0***Y",
        "name": "test2021***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "is_mpim": false,
        "is_private": false,
        "created": 1636496508,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "test2021***",
        "is_shared": false,
        "is_org_shared": false,
        "is_pending_ext_shared": false,
        "pending_shared": [],
        "parent_conversation": null,
        "creator": "U0***X",
        "is_ext_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_connected_team_ids": [],
        "is_member": true,
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "priority": 0
    },
    "warning": "already_in_channel",
    "response_metadata": {
        "warnings": [
            "already_in_channel"
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ChannelName": "test2021***"
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok	True
channel	{'id': 'C0*Y', 'name': 'test2021', 'is_channel': True, 'is_group': False, 'is_im': False, 'is_mpim': False, 'is_private': False, 'created': 1636496508, 'is_archived': False, 'is_general': False, 'unlinked': 0, 'name_normalized': 'test2021', 'is_shared': False, 'is_org_shared': False, 'is_pending_ext_shared': False, 'pending_shared': [], 'parent_conversation': None, 'creator': 'U0X', 'is_ext_shared': False, 'shared_team_ids': ['T0**7N'], 'pending_connected_team_ids': [], 'is_member': True, 'topic': {'value': '', 'creator': '', 'last_set': 0}, 'purpose': {'value': '', 'creator': '', 'last_set': 0}, 'previous_names': [], 'priority': 0}
warning	already_in_channel
response_metadata	{'warnings': ['already_in_channel']}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Join Channel failed. An error occurred when calling the Join Channel operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Join Channel failed. An error occurred when calling the Join Channel operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

List Channel Members

Retrieves members from a specified channel.

READER NOTE

Channel ID is a required parameter to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID of the channel to list members from. Channel IDs can be obtained using the List Channels command.	C0***Y

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "members": [
        "U0***X",
        "U0***L"
    ],
    "response_metadata": {
        "next_cursor": ""
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "UserIDs": [
        "U02***X",
        "U0***L"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ok	True
members	U0*X U0*L
response_metadata	{'next_cursor': ''}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Channel Members failed. An error occurred when calling the List Channel Members operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

List Channel Members failed. An error occurred when calling the List Channel Members operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

List Channels

Lists all channels in a Slack team.

READER NOTE

Channels satisfying any one of the specified channel types as defined by the Types parameter will be returned. In other words, the returned list channels may not satisfy all of the specified criteria. For instance, if the input value for the Types parameter is public_channel, private_channel, all public and private channels will be returned.

Input

Input Parameter	Required/Optional	Description	Example
Types	Optional	A comma-separated list of the channel types to filter results. The valid input values are public_channel, private_channel, mpim, and im. The default value is public_channel.	public_channel,private_channel

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "channels": [
        {
            "id": "C0***B",
            "name": "***",
            "is_channel": true,
            "is_group": false,
            "is_im": false,
            "created": 1590789443,
            "is_archived": false,
            "is_general": false,
            "unlinked": 0,
            "name_normalized": "***",
            "is_shared": false,
            "parent_conversation": null,
            "creator": "U0***V",
            "is_ext_shared": false,
            "is_org_shared": false,
            "shared_team_ids": [
                "T0***N"
            ],
            "pending_shared": [],
            "pending_connected_team_ids": [],
            "is_pending_ext_shared": false,
            "is_member": false,
            "is_private": false,
            "is_mpim": false,
            "topic": {
                "value": "",
                "creator": "",
                "last_set": 0
            },
            "purpose": {
                "value": "",
                "creator": "",
                "last_set": 0
            },
            "previous_names": [],
            "num_members": 6
        }
    ],
    "response_metadata": {
        "next_cursor": ""
    }
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.channels in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "id": "C0***B",
        "name": "***",
        "is_channel": true,
        "is_group": false,
        "is_im": false,
        "created": 1590789443,
        "is_archived": false,
        "is_general": false,
        "unlinked": 0,
        "name_normalized": "***",
        "is_shared": false,
        "parent_conversation": null,
        "creator": "U0***V",
        "is_ext_shared": false,
        "is_org_shared": false,
        "shared_team_ids": [
            "T0***N"
        ],
        "pending_shared": [],
        "pending_connected_team_ids": [],
        "is_pending_ext_shared": false,
        "is_member": false,
        "is_private": false,
        "is_mpim": false,
        "topic": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "purpose": {
            "value": "",
            "creator": "",
            "last_set": 0
        },
        "previous_names": [],
        "num_members": 6
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ChannelIDs": [
        "C0***1"
    ],
    "ChannelNames": [
        "***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	NAME	IS_CHANNEL	IS_GROUP	IS_IM	CREATED	IS_ARCHIVED	IS_GENERAL	UNLINKED	NAME_NORMALIZED	IS_SHARED	PARENT_CONVERSATION	CREATOR	IS_EXT_SHARED	IS_ORG_SHARED	SHARED_TEAM_IDS	PENDING_SHARED	PENDING_CONNECTED_TEAM_IDS	IS_PENDING_EXT_SHARED	IS_MEMBER	IS_PRIVATE	IS_MPIM	TOPIC	PURPOSE	PREVIOUS_NAMES	NUM_MEMBERS
C0***B	***	True	False	False	1590789443	False	False	0	***	False	None	U***V	False	False	['T***N']	[]	[]	False	False	False	False	{'value': '', 'creator': '', 'last_set': 0}	{'value': '', 'creator': '', 'last_set': 0}	[]	6

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Channels failed. An error occurred when calling the List Channels operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Invalid types.

Error Sample Data

List Channels failed. An error occurred when calling the List Channels operation.

Status Code: 200.

Message: OK: False, Error: Invalid types.

List Users

Lists all users in a Slack team.

READER NOTE

If no input parameters are defined, the command will return up to 1,000 users without filtering by role.
The Limit input parameter sets the maximum number of users to return. The default value is 1,000, but you may change it to any value (greater or less than 1,000).

Input

Input Parameter	Required/Optional	Description	Example
Role	Optional	The role of the users to list.	Workspace Admin
Limit	Optional	The maximum number of records to return. If the input value is invalid (i.e., negative number, 0, characters or symbols) or the parameter is not defined, the default value of 1,000 will be used.	2

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ok": true,
    "members": [
        {
            "id": "U***V",
            "team_id": "T0***N",
            "name": "***",
            "deleted": false,
            "color": "9f69e7",
            "real_name": "***",
            "tz": "America/Los_Angeles",
            "tz_label": "Pacific Daylight Time",
            "tz_offset": -25200,
            "profile": {
                "title": "",
                "phone": "",
                "skype": "",
                "real_name": "***",
                "real_name_normalized": "***",
                "display_name": "",
                "display_name_normalized": "",
                "fields": null,
                "status_text": "",
                "status_emoji": "",
                "status_expiration": 0,
                "avatar_hash": "gd***4",
                "image_24": "https://secure.gravatar.com/avatar/***.jpg?s=***",
                "image_32": "https://secure.gravatar.com/avatar/**.jpg?s=***",
                "status_text_canonical": "",
                "team": "T0***N"
            },
            "is_admin": true,
            "is_owner": true,
            "is_primary_owner": true,
            "is_restricted": false,
            "is_ultra_restricted": false,
            "is_bot": false,
            "is_app_user": false,
            "updated": 1603889636,
            "is_email_confirmed": true,
            "who_can_share_contact_card": "EVERYONE"
        }
    ],
    "cache_ts": **,
    "response_metadata": {
        "next_cursor": ""
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "UserIDs": [
        "U0***V"
    ],
    "UserNames": [
        "***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Users failed. An error occurred when calling the List Users operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Missing scope.

Error Sample Data

List Users failed. An error occurred when calling the List Users operation.

Status Code: 200.

Message: OK: False, Error: Missing scope.

Remove Users From Channel

Removes the specified users from a channel.

READER NOTE

User IDs and Channel ID are required parameters to run this command.

Run the List Users command to obtain User IDs. User IDs can be found the the returned raw data at the path $.members[*].id.
Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id. List Channel Members is also suggested to get the member in the specific channel, in order to make sure the user you want to remove is in the channel.

Please note that the API app connection used for the command must be a member of the specified channel.

Input

Input Parameter	Required/Optional	Description	Example
User IDs	Required	The IDs of the users to remove from the specified channel. User IDs can be obtained using the List Users command.	[ "U0***5" ]
Channel ID	Required	The ID of the channel to remove the specified users from. Channel IDs can be obtained using the List Channels command.	C0***Y

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "ok": true
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 enriches the context data from the original Slack API response by adding the ChannelID field to indicate the input Channel ID, adding the UserID field to indicate the input User IDs, and adding the ActionResult field to indicate whether the users have been removed from specified channel successfully.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "ChannelID": "C0***2",
        "UserID": "U0***5",
        "ActionResult": "Removed from the channel successfully"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ChannelID": "C0***2",
    "UserIDs": [
        "U0***5"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CHANNELID	USERID	ACTIONRESULT
C0***2	U0***5	Removed from the channel successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove Users From Channel failed. An error occurred when calling the Remove Users From Channel operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: User ID Not Found.

Error Sample Data

Remove Users From Channel failed. An error occurred when calling the Remove Users From Channel operation.

Status Code: 200.

Message: OK: False, Error: User ID Not Found.

Send Files

Shares file(s) on the specified channel(s).

READER NOTE

The parameter Channel IDs is required to run this command.

Run the List Channels command to obtain Channel IDs. Channel IDs can be found in the returned raw data at the path $.channels[*].id.

Please note that the API app connection used for the command must be a member of the specified channel.

It is not recommended to use the Test Command feature with the Submit Sample Files command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

In D3 SOAR, navigate to Configuration on the top bar menu.
Click Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Select the Test tab, then input the required information for the parameters. Click Test Command.

A D3 File ID will appear in the output data after the file has been successfully created..

(Note: The D3 File Source of the created file will be Playbook File)

Input

Input Parameter	Required/Optional	Description	Example
Channel IDs	Required	The IDs or names of the channels to send files to. Channel ID can be obtained using the List Channels command.	C0***2
D3 File IDs	Required	The file path of the file source. The options for file paths are: Incident Attachment: Incident.file.file ID Playbook File: Task output Artifact File: Incident.Events.file.file ID	[ "20" ]
D3 File Source	Required	The file source of the file to send. The options for file sources are: Incident Attachment File: Manually uploaded file from Incident Playbook File: Output from another Task Artifact File: Ingested Artifact in an Event	Playbook File

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "ok": true,
        "file": {
            "id": "F0***V",
            "created": 1636867965,
            "timestamp": 1636867965,
            "name": "Blue Jays.png",
            "title": "Blue Jays",
            "mimetype": "image/png",
            "filetype": "png",
            "pretty_type": "PNG",
            "user": "U0***L",
            "editable": false,
            "size": 3840,
            "mode": "hosted",
            "is_external": false,
            "external_type": "",
            "is_public": true,
            "public_url_shared": false,
            "display_as_bot": false,
            "username": "",
            "url_private": "https://files.slack.com/files-pri/***.png",
            "url_private_download": "https://files.slack.com/files-pri/***/download/***.png",
            "media_display_type": "unknown",
            "thumb_360_w": 225,
            "thumb_360_h": 225,
            "thumb_160": "https://files.slack.com/files-tmb/***/***.png",
            "original_w": 225,
            "original_h": 225,
            "thumb_tiny": "***+**/***/***/***/**//2Q==",
            "permalink": "https://d3cyber.slack.com/files/**/**/**.png",
            "permalink_public": "https://slack-files.com/*-**-**",
            "comments_count": 0,
            "is_starred": false,
            "shares": {
                "public": {
                    "C***2": [
                        {
                            "reply_users": [],
                            "reply_users_count": 0,
                            "reply_count": 0,
                            "ts": "***",
                            "channel_name": "test2021**",
                            "team_id": "T***N",
                            "share_user_id": "U***L"
                        }
                    ]
                }
            },
            "channels": [
                "C0***"
            ],
            "groups": [],
            "ims": [],
            "has_rich_preview": false
        }
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.[*].file in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

{
            "id": "F0***V",
            "created": 1636867965,
            "timestamp": 1636867965,
            "name": "Blue Jays.png",
            "title": "Blue Jays",
            "mimetype": "image/png",
            "filetype": "png",
            "pretty_type": "PNG",
            "user": "U0***L",
            "editable": false,
            "size": 3840,
            "mode": "hosted",
            "is_external": false,
            "external_type": "",
            "is_public": true,
            "public_url_shared": false,
            "display_as_bot": false,
            "username": "",
            "url_private": "https://files.slack.com/files-pri/***.png",
            "url_private_download": "https://files.slack.com/files-pri/***/download/***.png",
            "media_display_type": "unknown",
            "thumb_360_w": 225,
            "thumb_360_h": 225,
            "thumb_160": "https://files.slack.com/files-tmb/***/***.png",
            "original_w": 225,
            "original_h": 225,
            "thumb_tiny": "***+**/***/***/***/**//2Q==",
            "permalink": "https://d3cyber.slack.com/files/**/**/**.png",
            "permalink_public": "https://slack-files.com/*-**-**",
            "comments_count": 0,
            "is_starred": false,
            "shares": {
                "public": {
                    "C***2": [
                        {
                            "reply_users": [],
                            "reply_users_count": 0,
                            "reply_count": 0,
                            "ts": "***",
                            "channel_name": "test2021**",
                            "team_id": "T***N",
                            "share_user_id": "U***L"
                        }
                    ]
                }
            },
            "channels": [
                "C0***"
            ],
            "groups": [],
            "ims": [],
            "has_rich_preview": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FileIDs": [
        "F0***V"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	CREATED	TIMESTAMP	NAME	TITLE	MIMETYPE	FILETYPE	PRETTY_TYPE	USER	EDITABLE	SIZE	MODE	IS_EXTERNAL	EXTERNAL_TYPE	IS_PUBLIC	PUBLIC_URL_SHARED	DISPLAY_AS_BOT	USERNAME	URL_PRIVATE	URL_PRIVATE_DOWNLOAD	MEDIA_DISPLAY_TYPE	THUMB_64	THUMB_80	THUMB_360	THUMB_360_W	THUMB_360_H	THUMB_160	ORIGINAL_W	ORIGINAL_H	THUMB_TINY	PERMALINK	PERMALINK_PUBLIC	COMMENTS_COUNT	IS_STARRED	SHARES	CHANNELS	GROUPS	IMS	HAS_RICH_PREVIEW
F***V	1636867965	1636867965	Blue Jays.png	Blue Jays	image/png	png	PNG	U***L	False	3840	hosted	False		True	False	False				unknown	https://files.slack.com/files-tmb/T*GV-a*png	https://files.slack.com/files-tmb/--/*.png	https://files.slack.com/files-tmb/*--/*.png	225	225	https://files.slack.com/files-tmb/&--/**.png	225	225		https://*.slack.com/files///**.png	https://slack-files.com/*--***	0	False	{'public': {'*': [{'reply_users': [], 'reply_users_count': 0, 'reply_count': 0, 'ts': '', 'channel_name': 'test20211', 'team_id': '', 'share_user_id': '**'}]}}	['***']	[]	[]	False

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Send Files failed. An error occurred when calling the Send Files operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Send Files failed. An error occurred when calling the Send Files operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Send Messages

Sends message(s) to a specified channel.

READER NOTE

Channel or User ID is a required parameter to run this command.

Run the List Channels command to obtain Channel ID. Channel IDs can be found in the returned raw data at the path $.channels[*].id.
Run the List Users command to obtain User ID. User IDs can be found the the returned raw data at the path $.members[*].id.

The input parameter Message Thread ID is used for creating reply messages.

Run the Send Messages command to obtain Message UID. Message UIDs can be found in the returned raw data at the path $.message.ts. This value is the ID of the parent message you just sent. Input the “ts” value to the Message Thread ID parameter and the desired reply message in the Messages field, along with the same Channel ID. Run this command again to reply to the parent message.

Please note that the API app connection used for the command must be a member of the specified channel.

Input

Input Parameter	Required/Optional	Description	Example
Channel ID	Required	The ID or name of the channel to send the message(s) to. Channel IDs can be obtained using the List Channels command.	test2021***
Messages	Required	The array of messages to send.	[ "Hello World", "Awesome Day" ]
Message Thread ID	Optional	The option to make this message a reply by specifying timestamp (ts) value of the message to reply to. Avoid using a reply message's value, use its parent message instead. Message timestamps can be obtained using the Send Messages command.	167.5*9
Message Blocks	Optional	Defines the JSON-based array of structured blocks to be sent with the message.	CODE [ { "type": "section", "text": { "type": "mrkdwn", "text": "`inline`, _italic_, bold, ~strike~, ```multi-line\nline2```,URL <http://example.com/>,😄" } } ]
Message Attachments	Optional	Defines the JSON-based array of structured attachments to be sent with the message.	CODE `[ { "text": "Who wins the lifetime supply of chocolate?", "fallback": "You could be telling the computer exactly what it can do with a lifetime supply of chocolate.", "color": "#3AA3E3", "attachment_type": "default", "callback_id": "select_simple_1234", "actions": [ { "name": "winners_list", "text": "Who should win?", "type": "select", "data_source": "users" } ] } ]`

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "ok": true,
        "channel": "C0***2",
        "ts": "***",
        "message": {
            "bot_id": "B0***H",
            "type": "message",
            "text": "Hello World",
            "user": "U0***L",
            "ts": "***",
            "team": "T***N",
            "bot_profile": {
                "id": "B0**H",
                "app_id": "A0***A",
                "name": "NEW_APP***",
                "icons": {
                    "image_36": "https://a.slack-edge.com/***/img/plugins/app/***.png"
                },
                "deleted": false,
                "updated": 1636502594,
                "team_id": "T0***N"
            }
        }
    },
    {
        "ok": true,
        "channel": "C0***2",
        "ts": "***",
        "message": {
            "bot_id": "B0***H",
            "type": "message",
            "text": "Awesome Day",
            "user": "U0***L",
            "ts": "***",
            "team": "T0***N",
            "bot_profile": {
                "id": "B0***H",
                "app_id": "A0***A",
                "name": "NEW_APP***",
                "icons": {
                    "image_36": "https://a.slack-edge.com/***/img/plugins/app/***.png",
                },
                "deleted": false,
                "updated": 1636502594,
                "team_id": "T0***N"
            }
        }
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ChannelID": ["C02M27F9WJ2" ],
  "TimeStamp": ["1684864181.974299" ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

bot_id	type	text	user	ts	team	bot_profile	ChannelID
B***H	message	Hello World	U***L	***	T***N	{'id': 'B*H', 'app_id': 'A0A', 'name': 'NEW_APP', 'icons': {'image_36': 'https://a.slack-edge.com//img/plugins/app/.png', '': 'https://a.slack-edge.com//img/plugins/app/.png', '': 'https://a.slack-edge.com//img/plugins/app/.png'}, 'deleted': False, 'updated': 1636502594, 'team_id': 'T0*N'}	C***2

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Send Messages failed. An error occurred when calling the Send Messages operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Channel ID Not Found.

Error Sample Data

Send Messages failed. An error occurred when calling the Send Messages operation.

Status Code: 200.

Message: OK: False, Error: Channel ID Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

READER NOTE

If the connection uses the OAuth2.0 method for authentication, it is recommended to enable the Connection Health Check option (refer to step 3i of Configuring D3 SOAR to Work with Slack) to alert you when the token expires. You can go to the Slack API portal (refer to step 5 of Configuring Slack to Work with D3 SOAR Method 2 for instructions) and refresh the token for OAuth 2.0 connections.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. An error occurred when calling the Test Connection operation.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Slack portal. Refer to the HTTP Status Code Registry for details.	Status Code: 200.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: OK: False, Error: Missing Scope.

Error Sample Data

Test Connection failed. An error occurred when calling the Test Connection operation.

Status Code: 200.

Message: OK: False, Error: Missing Scope.

FAQ

Question1: Why doesn’t my display username in a channel show up as my login username?

Answer: The Slack display username will be your App name when you build connections. It will have an

tag after the username. You can refer to Configuring Slack to Work with D3 SOAR Method 1 or Method 2 step 3 for instructions on selecting apps when building a connection. The App names may appear on the Slack user interface after running the following commands: Create Channel, Join Channel, Send Files and Send Messages.

For example, you might see
after running the Join Channel command.

Since API_OAuth is the app you used in your connection, you have joined the #general channel with the username API_OAuth.