How to do regex for new slack message trigger?

you guys made a workflow that has this regex for a slack message

the trigger is @rapid7… quarantine-agent {hostname}

<.> {{action:/. /}}{{agent:/.*/}}

how would you do one for

@rapid7… lookup-email

to get extract the email address?

@hayden_redd We will be making Pattern Match easier to use sometime this year but the good news is for Slack and Microsoft Teams triggers we automatically extract common indicators like e-mail addresses, domain names, hashes, etc. from each message and return them in the output.

It returns any number of them as well, so if you enter 10 e-mail addresses in your Slack message it will store them all in the {{[message].[indicators].[email_addresses]}} variable. Then, you can just loop over them. Or if you only expect one e-mail address, then you could avoid a loop by retrieving the first element in subsequent steps in your workflow using indexes e.g. {{[message].[indicators].[email_addresses].[0]}} - where 0 is the first element (i.e. first e-mail in a list of e-mails). A more full example, is if you have a list of e-mails that looks like this ["", "", ""] then to retrieve each without a loop, you could manually reference each one

{{[message].[indicators].[email_addresses].[0]}} #
{{[message].[indicators].[email_addresses].[1]}} #
{{[message].[indicators].[email_addresses].[2]}} #

For the command part, you can also use a variable from the Slack trigger called {{[message].[first_word]}} which contains the first typed text after the @InsightConnect.. bot call. We call that the first word. What you can do is pass that variable to a decision step to match the text of the command e.g. {{[message].[first_word]}} = "lookup-email"

Screen Shot 2021-01-29 at 4.55.47 PM


More details around the automatic indicator extraction feature is available here: