What's the best way to parse Slackbot text output?

richard_perkett · February 10, 2020, 6:48pm

Hi! Ok, so I have my first workflow up and running in Connect (yay) and now I’m trying to get it to do some more things to extend my use cases.

I am using the Slackbot to trigger a workflow and I am seeing that the output is making it’s way into my workflow - and now I need to parse some of the output so I can use it in my next steps.

For example, a user types something like this in a specific Slack channel:
@InsightConnect Bot www.url.com

And I notice the output that comes into my workflow for the slack message text,
[message].[text] is something like this:

<@UTCD2E77V> http://www.url.com|www.url.com

So my question is - what is the best way to take this output and extract or (parse out) only the “www.url.com” part so I can then add steps that will perform further URL analysis on this information.

Let me know - thanks!

-Rich

sean_kelly · February 10, 2020, 7:20pm

Hey Rich! Can you share a screenshot of your step configuration?

jon_schipp · February 10, 2020, 7:31pm

Hey @rperkett, thanks for posting! The simplest thing to do next is to pass the contents of [message].[text] to the ExtractIt plugin’s Domain Extractor action. Turn the subdomain extraction option on by setting the value to true and it will turn your message into an extracted array of domains which you can iterate over at any point in the workflow using the Loop step.

{ "domains": ["www.url.com"]}

In your example above, you had posted an input that looked to be a double-paste or a way of indicating the format could either be the protocol prefix of http or the direct sub-domain. Separated with a | character so assuming the latter:

<@UTCD2E77V> http://www.url.com|www.url.com

In either case, the Domain Extractor will remove any duplicates so passing a single or multiple entries formatted as URLs or domains in a message will work as expected. You can find additional details and features available in the plugin at Rapid7 Extensions

Thanks

richard_perkett · February 10, 2020, 8:46pm

Thanks for the quick replies @jon_schipp & @smkelly_komand!

here are some screenshots…

this is literally what I typed into my test slack channel:

so this is the output i see from Connect:

so then I took your advice and added the Extractit/URLextrator as my next step in the workflow, here’s the input I sent to it:

and here’s the output from it:

for extra credit, here’s the log from the urlparser step:

What do y’all think? [i’m certain it’s user-error]

thx.

jon_schipp · February 10, 2020, 9:40pm

@rperkett Thanks for following up with additional details. It looks like you’ve identified a bug in how the Slack feature operates with the URL being returned along with the original domain you inputted in Slack. We’re investigating this and will follow-up with you when resolved.

Though, I think we can work around this using the latest ExtractIt plugin’s Domain Extractor action if you want the domain only. I was able to pass the same input and return the domain as expected. Correct me if I’m wrong but it looks like you’re using the URL Extraction action instead, based on the naming I see in your screenshots.

Thanks

richard_perkett_simlab · February 10, 2020, 10:12pm

@jon_schipp - glad I could help uncover something!

Yes - you are correct … I switched from the URL Extractor to the Domain Extractor action and I was able to get the array of domains I had sent into the Slack bot as expected.

Victory is mine - thanks for the quick responses - I’ll be sure to follow up should I encounter and additional obstacles.

Cheers!

jon_schipp · August 6, 2020, 11:03pm

We now automatically parse network and security indicators directly from the Slack bot and Microsoft Teams plugins.

You no longer need regex for many common indicators for ChatOps! See more details in our announcements post: