Slack
SocTalk talks to Slack in two ways. Both use the same Slack app credentials but cover different operational needs:
| Backend | Direction | V1 chart wiring |
|---|---|---|
| Webhook notifications | one-way (out) | Code wired only in the legacy entry point (src/soctalk/main.py). The V1 chart's app_v1 does not mount it. Treat the notifications below as the planned wiring; today, posting requires running the legacy orchestrator alongside V1 |
| Socket Mode HIL | two-way | Code present (src/soctalk/hil/backends/slack.py); not wired into V1 either |
The V1 install path's only working HIL surface is the dashboard review queue. The Slack pages below describe the planned wiring for when both backends ship in V1. For the analyst-side review workflow see Human review (HIL).
Create the Slack app
- https://api.slack.com/apps → Create New App → From scratch.
- Name:
SocTalk(or your install's name). Workspace: the one your SOC team uses. - OAuth & Permissions → add Bot Token Scopes:
chat:writechat:write.public(lets the bot post in channels it's not a member of)channels:read- For interactive review:
commands(only if you also want slash commands) andapp_mentions:read.
- Install App → Install to Workspace. Copy the Bot User OAuth Token (
xoxb-…). - (HIL only) Socket Mode → enable. Generate an App-Level Token with
connections:writescope (xapp-…). - (HIL only) Interactivity & Shortcuts → enable. With Socket Mode enabled, you don't need to enter a Request URL.
- (HIL only) Event Subscriptions → enable; subscribe to
interactive_message_actionsandblock_actions. - Invite the bot to your review channel:
/invite @SocTalk.
Webhook notifications
For one-way notifications you only need an Incoming Webhook URL, not the full app dance above. Either:
- Install a separate Incoming Webhooks app to the workspace and grab the URL.
- Or use the app you created above's Incoming Webhooks feature.
Configure
MSSP UI → Settings → Slack:
| Field | Notes |
|---|---|
| Webhook URL | https://hooks.slack.com/services/T…/B…/… |
| Channel | Optional channel override; otherwise the webhook posts to its default channel |
| Notify on escalation | Default on. Posts when a verdict closes as escalate |
| Notify on verdict | Default off. Posts every close-disposition as well — high volume |
There is no API to mutate Slack integration settings in V1 — the V1 chart doesn't mount the legacy PUT /api/settings route. Slack config is environment-only: provide SLACK_WEBHOOK_URL, SLACK_CHANNEL, SLACK_NOTIFY_ON_ESCALATION, and SLACK_NOTIFY_ON_VERDICT as env vars on the soctalk-system-api Deployment.
Slack notifications cover escalation and verdict events only (no notify_on_capacity toggle exists).
Tokens (webhook URL, bot token, app token) are not writable via this endpoint — provide them as environment variables on the orchestrator Deployment (SLACK_WEBHOOK_URL, SLACK_BOT_TOKEN, SLACK_APP_TOKEN) or via Secret-mounted env. Rotate by patching the Secret and rolling the orchestrator.
Message format
Escalation example:
SocTalk · Demo Tenant · [Critical]
T1110 brute-force technique simulated on linux-ep-1
AI verdict: Escalate · confidence: medium · 1 malicious observable
View → https://mssp.your-mssp.example/investigations/abc123Minimal Block Kit; no buttons (those are the HIL backend's job).
Socket Mode HIL
Status: the Slack two-way HIL backend exists in code (
src/soctalk/hil/backends/slack.py) but is not wired into the V1 chart's runtime in this release. The dashboard review queue at/reviewis the only working HIL surface. Treat the Slack HIL setup below as the planned design.
For the analyst review workflow. The same Slack app, plus the App-Level Token. SocTalk's HIL backend opens an outbound WebSocket to Slack — no public endpoint needed; works behind NAT.
Configure
UI toggle (Channel, Enable HIL, notify_on_*) is in MSSP UI → Settings → Slack. Tokens themselves are env-only in this release:
env:
- name: SLACK_BOT_TOKEN
valueFrom: { secretKeyRef: { name: soctalk-slack-creds, key: bot_token } }
- name: SLACK_APP_TOKEN
valueFrom: { secretKeyRef: { name: soctalk-slack-creds, key: app_token } }Per-tenant Slack channel routing is not implemented in this release — the configured install-wide slack_channel receives every review and notification regardless of which tenant the case belongs to. Per-tenant routing is on the roadmap.
What gets posted
When the AI requests human review, SocTalk posts a card to the configured channel:
SocTalk · Demo Tenant · [Critical]
T1110 brute-force technique simulated on linux-ep-1
AI verdict: Escalate (confidence: medium)
Observables:
· 198.51.100.7 (Cortex: malicious, 8/12 analyzers)
· sshd (process)
· alice@linux-ep-1 (user)
[Approve] [Reject] [Needs more info] [View in UI →]Buttons fire block_actions events; the SocTalk HIL backend processes them and writes the decision back to the case state. Reject and Needs-more-info open a modal for the rationale (required).
A future release wires the dashboard and Slack to share review state. In V1 the two backends do not yet share state — if Slack HIL were enabled, the Slack action would not dismiss the dashboard card and vice versa.
Rotate tokens
- In the Slack app's OAuth & Permissions, Reinstall app to rotate the bot token. Copy the new
xoxb-…. - (HIL) Basic Information → App-Level Tokens → revoke + regenerate. Copy the new
xapp-…. - Patch the Secret:bash
kubectl -n soctalk-system patch secret soctalk-slack-creds \ -p '{"data":{"bot_token":"'$(echo -n xoxb-NEW | base64)'","app_token":"'$(echo -n xapp-NEW | base64)'"}}' - Roll the orchestrator:
kubectl -n soctalk-system rollout restart deploy/soctalk-system-api. - The HIL backend reconnects on the new tokens within ~10 s of pod ready.
Troubleshoot
| Symptom | Check |
|---|---|
| Bot doesn't post | `kubectl -n soctalk-system logs deploy/soctalk-system-api |
| HIL buttons return "this action is no longer valid" | The proposal was decided by another path (dashboard or expired). Refresh the card |
| Bot posts but never reacts to button clicks | Socket Mode not enabled, or App-Level Token missing connections:write. Re-create the app token |
| Cards arrive truncated | Block Kit limits a single message to 50 blocks. SocTalk batches long observable lists into multiple cards; you should see a "X observables shown of Y" footer |
Privacy
The Slack message includes observables (IPs, usernames, file hashes). If your workspace has compliance constraints, gate the integration on per-tenant settings or use webhook-only notifications (no observable bodies in those).
Source pointers
| Concept | File |
|---|---|
| Slack webhook notifier | src/soctalk/notifications/slack_webhook.py |
| Slack HIL backend | src/soctalk/hil/backends/slack.py |
| Block Kit templates | src/soctalk/notifications/slack_templates/ |
