Slack Actions

Actions for Slack #

• Post on Slack. Sends data (output fields) from the specified records (selected with a query) to a Slack channel.

Use Cases #

Below are the possible use cases for the Post on Slack action:

• You can send messages about high-risk alerts or incidents to specific Slack channels. For example, you could send a message to the SecOps slack channel for immediate attention. The message could tell the team to check Lucidum for the new list of assets with a zero-day vulnerability. The message includes the number of assets with zero-day vulnerabilities.

Prerequisites #

Before you can execute the action Post on Slack, you must first enable incoming incoming webhooks on Slack and then copy the URL for incoming webhooks. For details, see https://api.slack.com/messaging/webhooks.

Workflows #

• Creating a new Configuration and a new Action
• Cloning an Existing Action
• Creating a new Action from the Location Results page
• Editing a Configuration
• Editing an Action
• Viewing Information about an Action

Slack Configuration #

• Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

• Webhook URL. The URL on slack that listens for webhooks from Lucidum. For details on generating a webhook URL, see https://api.slack.com/messaging/webhooks.

Create or Edit an Action #

To create an action for Slack:

1. In the Create a New Action page, in the General step, enter:

   

   • Action Type. Select an action from the pulldown options.

   • Configuration Name. Select an action configuration from the pulldown options.

   • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

   • Description. Description of the action.

2. Click the Next (>) icon.

3. In the Filters page, click Configure Filters.

   

4. The Build a Query page appears.

   

5. In the Build a Query page, you define the query for the assets or users that the action will act upon.

6. Click Next.

7. In the Build a Current Query page, enter the fields, operators, and values for the query. For existing actions, the query is already loaded in this page.

   
8. For details on creating and editing queries in Lucidum, see the section on Building Queries.

   NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

9. Click the Apply (page and pencil) icon.

10. Click the Next (>) icon.

11. In the Schedule step, enter:

    

    • Schedule Type. Define the schedule for the action. Choices are:

      • Recurrence. Specify a frequency for the recurring schedule.

      • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

12. Click the Next (>) icon.

13. In the Details step, enter the following:

    

    • Output Fields. For the records selected with the Filters field, specify the columns to display. The selected columns are included in log entries for the action. To see which column you can include, when creating or editing the query, you can view all available fields in the Query Results page > Edit Column button.

    • Message. The message to send to slack, in Jinga format. The field includes a default Jinja template that you can edit. For details on Jinja, see https://jinja.palletsprojects.com/en/3.1.x/templates/.

Slack Message #

Here’s how the message from a Slack action appears in Slack:

To download and view the logs for Slack actions, see the section on Action Logs.

Here’s an example of a downloaded log for a Slack action: