Configure the Slack Notifier

manageConfig Platinum

Configure the Slack notifier in TheHive.

Notifier availability

The Slack notifier is available only when you turn off the Send notification to every user in the organization toggle and use one of the following triggers:

• AnyEvent
• FilteredEvent
• ActionFinished
• CaseClosed
• CaseCreated
• CaseFlagged
• CaseShared
• AlertClosed
• AlertCreated
• AlertImported
• JobFinished
• AlertObservableCreated
• CaseObservableCreated
• ObservableCreated
• TaskClosed
• TaskMandatory

Procedure

1. Go to the Organization view from the sidebar menu.

   

   ---

2. Select the Notifications tab.

   

   ---

3. Select and then Edit.

   ---

4. Select the Slack notifier.

   ---

5. In the Slack drawer, enter the following information:

   - Endpoint

   Using Slack as a notifier requires at least one endpoint. This endpoint defines how TheHive connects to Slack.

   Select an existing endpoint. Endpoints can be local, defined at the organization level, or global, defined at the client level for one or more organizations. You can add a new local endpoint by selecting Add a new endpoint.

   - Text template

   The message content to send to the Slack endpoint. Select JSON, Markdown, or plain text.

   - Channel

   The Slack channel where you want to send the data. This overrides the default channel set in the endpoint configuration.

   - Username

   A username that will appear as the sender of the message in Slack. This overrides the default username set in the endpoint configuration.

   Available variables

   You can use variables in certain fields by selecting Add variable. Refer to the Variable Usage Examples topic for detailed examples.

   Helpers using Mustache syntax

   Data transformation helpers

   Helper	Description	Usage	Output
   tlpLabel	Format the tlp field of the object	{{ tlpLabel object.tlp }}	Amber
   papLabel	Format the pap field of the object	{{ papLabel object.pap }}	Amber
   severityLabel	Format the severity field of the object	{{ severityLabel object.severity }}	Critical
   dateFormat	Format a date field of the object using Java date time patterns	{{dateFormat audit._createdAt "EEEEE dd MMMMM yyyy" "fr" }}	jeudi 01 septembre 2022

   Standard string helpers can be found in the official Handlebars documentation.

   Conditional helpers

   Examples:

   • Displays Medium if case.severity equals 2, otherwise displays Other:

   {{#if (eq case.severity 2) }}
       Medium
   {{else}}
       Other 
   {{/if}}
   

   • Displays the threat actor value only if case.customFieldValues.threat-actor is defined:

   {{#if case.customFieldValues.threat-actor}}
       Threat Actor: {{case.customFieldValues.threat-actor}}
   {{/if}}
   

   Find additional supported operators in the official Handlebars documentation.

   ---

6. Select the Advanced settings checkbox if you want to configure additional options.

   Slack documentation to the rescue

   • Test your integration the postMessage page.
   • Build your blocks with the Slack Block Kit Builder.

   Example of a blocks template: Send notification about case creation

   • Trigger: CaseCreated
   • Notifier: Slack

   [
     {
       "type": "section",
       "text": {
         "type": "mrkdwn",
         "text": "*New Case created: Case #{{object.number}}*"
       }
     },
     {
       "type": "divider"
     },
     {
       "type": "section",
       "text": {
         "type": "mrkdwn",
         "text": "<{{url}}|{{object.title}}> \n :bee: \n {{object.description}}"
       }
     },
     {
       "type": "section",
       "fields": [
         {
           "type": "mrkdwn",
           "text": "*Created by*\n{{object._createdBy}}\n*Assigned to*\n{{object.assignee}}"
         }
       ]
     }
   ]
   

   ---

7. Select Confirm.

Next steps

• Turn Off a Notification
• Delete a Notification