you guys made a workflow that has this regex for a slack message
the trigger is @rapid7… quarantine-agent {hostname}
<.> {{action:/. /}}{{agent:/.*/}}
how would you do one for
@rapid7… lookup-email test@test.com
to get extract the email address?
@hayden_redd We will be making Pattern Match easier to use sometime this year but the good news is for Slack and Microsoft Teams triggers we automatically extract common indicators like e-mail addresses, domain names, hashes, etc. from each message and return them in the output.
It returns any number of them as well, so if you enter 10 e-mail addresses in your Slack message it will store them all in the {{[message].[indicators].[email_addresses]}} variable. Then, you can just loop over them. Or if you only expect one e-mail address, then you could avoid a loop by retrieving the first element in subsequent steps in your workflow using indexes e.g. {{[message].[indicators].[email_addresses].[0]}} - where 0 is the first element (i.e. first e-mail in a list of e-mails). A more full example, is if you have a list of e-mails that looks like this ["user1@example.com", "user2@excample.com", "user3@example.com"] then to retrieve each without a loop, you could manually reference each one
{{[message].[indicators].[email_addresses].[0]}} # user1@example.com
{{[message].[indicators].[email_addresses].[1]}} # user2@excample.com
{{[message].[indicators].[email_addresses].[2]}} # user3@example.com
For the command part, you can also use a variable from the Slack trigger called {{[message].[first_word]}} which contains the first typed text after the @InsightConnect.. bot call. We call that the first word. What you can do is pass that variable to a decision step to match the text of the command e.g. {{[message].[first_word]}} = "lookup-email"
2 Likes
More details around the automatic indicator extraction feature is available here: https://docs.rapid7.com/insightconnect/trigger-workflows-with-slack-chatops/#trigger-workflows-with-slack-chatops