Setting up a Workflow in Slack

Follow these recommended steps to set up a workflow in Slack, to receive an incoming Webhook as a message posted to a Slack channel.

You may receive the Webhook through other implementations. The Platform allows outgoing Webhooks to *hooks.slack.com* domains.

This guide for Workflows uses Incidents as the publication entity example. Adjust your Workflow setup for Vulnerabilities and Threat Events as required.

Create a Workflow from your Slack application

Click + and select Workflow or find Workflows under … and Automations. Define a Workflow, with a name, description and Truesec logo.

Upload this logo as you create the Workflow:
Select the event From a webhook

In the Choose how to start the workflow step, define all Incident variables to receive. Data Type should be Text. These needs to be added one by one and will be added to the message body in the next step.

Variable	Description
workspaceName	Name of Workspace for incident publication
id	Incident ID with Workspace prefix
url	Link to incident in Workspace
severity	Incident Severity
publishedDateTime	Publication date of incident
subject	Incident Subject
created	Creation date and time of incident
lastUpdated	Last update of incident
summary	Incident Summary
status	Incident Status
technicalDetails	Incident Technical Details field
recommendedAction	Incident Recommended Actions field
alertConfigurationItems	Incident Configuration Items: User(s), Host(s), ..
alertIds	Truesec related alert ID
tags	Truesec tag(s) of incident & related alerts
sourceUrls	Link(s) to source platform alert

Variable	Description
workspaceName	Name of Workspace where vulnerability was published
id	Vulnerability ID with workspace prefix
url	Link to vulnerability in workspace
created	Creation date and time of vulnerability
publishedDateTime	Publication date and time of vulnerability
revision	Vulnerability revision
truesecScore	Score/Priority of vulnerability
subject	Vulnerability subject
generalDescription	Vulnerability summary
specificDescription	Vulnerability additional details
type	Internal or internet-facing
severity	Vulnerability severity
status	Vulnerability status
recommendations	Truesec recommendations for the vulnerability
affectedCI	Vulnerability Configuration Items
tags	Truesec tags for vulnerability
extRef	External source reference
attachmentNames	Filenames of vulnerability attachments

Variable	Description
workspaceName	Name of Workspace where threat event was published
id	Threat event ID with Workspace prefix
url	Link to incident in Workspace
publishedDateTime	Publication date of threat event
created	Creation date of Threat event
firstObserved	Date and time of first observation
title	Threat event title
summary	Threat event summary
recommendedAction	Threat event recommended action
technicalDetails	Threat event technical details
heightenedThreatLevel	Marked as increasing threat level
findingSource	External source reference
evidence	Evidence and type
type	Category of threat event

Continue and in the next Step, add Send a message to a channel under the Messages category
Select your receiving channel and paste the below Truesec template for the Slack message in its entirety. Replace the placeholders with the variables defined in the previous step, via { } Insert a variable.

This ensures the Incidents are presented in Slack with full details. You may change the message and variables as required.

:small_orange_diamond:New Incident
[Replace with { } workspaceName / [Replace with { } id]
[Replace with { } subject]

Severity
[Replace with { } severity]

Configuration Items
[Replace with { } alertConfigurationItems]

Summary
[Replace with { } summary]

Technical Details
[Replace with { } technicalDetails]

Recommended Action
[Replace with { } recommendedAction]

Alert source
[Replace with { } sourceURLs]

The incident needs to be resolved in the Truesec Portal with closure note to ensure full alignment with Truesec SOC. If you have any questions or need help with this incident, contact the SOC or your Technical Account Manager. Call the SOC at +46 (0) 8 10 00 77.
Define two buttons at the end of the message to facilitate incident management for your team. Select Open Link as the behavior first.

Button label: Go to Truesec Portal
Select color green

Behavior: Open link
Select the URL variable via {}

Button label: E-mail Truesec SOC
Select color white

Behavior: Open link
mailto:support@truesec.com
Review your workflow steps and select Finish Up to review the complete workflow and permissions. Publish your workflow.
You’re all done in Slack.

Find your Web request URL under your workflow start event. You’ll need this to activate the outgoing Webhook in the Truesec Platform, and to test your workflow from the Workspace.

Next step is to configure your outgoing webhook