Merge pull request #1387 from TheHive-Project/slack-integration-improvements

Slack responder - Improvements

Author: nusantara-self

responders/Slack/README.md

@@ -18,14 +18,18 @@ This directory contains two Slack responders for TheHive integration:
 - Invites default participants by email
 - Sets channel visibility (private or public)
 - Posts case summary and/or case description (optional)
+- **Automatically tags the case** with `slack:<channel_name>` for easy tracking
 
-### Slack_SyncChannel  
-- Retrieves all conversation history from channels with format `#case-CASEID`
+### Slack_SyncChannel
+- **Syncs all Slack channels tagged with `slack:` prefix** on the case
+- Retrieves all conversation history from tagged channels
+- **Fallback**: If no tags found, uses default format `#case-CASEID`
 - Creates TheHive tasks in "Communication" category with individual task logs for each message
 - Downloads and attaches file attachments (images, documents) to task logs
 - Chronologically ordered messages with timestamps and usernames
 - Prevents duplicate syncing by tracking message timestamps
 - Converts Slack user IDs to readable usernames for better readability
+- **Multi-channel support**: Syncs multiple channels if multiple `slack:` tags exist
 
 ## Preview
 
@@ -85,5 +89,26 @@ This directory contains two Slack responders for TheHive integration:
 
 ## 2. Enable and configure the Responders
 
-Log into your Cortex instance, go to Organization > Responders and enable the desired JIRA responders with the appropriate configuration & API keys.
+Log into your Cortex instance, go to Organization > Responders and enable the desired Slack responders with the appropriate configuration & API keys.
 
+---
+
+## Privacy & Security Considerations
+
+### Channel Tagging
+When `Slack_CreateChannel` runs, it automatically adds a `slack:<channel_name>` tag to the case. This tag:
+- Makes it easy to identify which Slack channel(s) are associated with a case
+- Enables `Slack_SyncChannel` to reliably find channels without reconstructing names
+- Can be manually added to sync additional channels (see warning below)
+
+### Multi-Channel Syncing
+`Slack_SyncChannel` will sync **all** channels that have `slack:` tags on the case:
+- Each channel creates its own separate task in TheHive
+- Partial failures are handled gracefully (some channels may sync, others may fail)
+- Failed channels are reported in the responder output
+
+### Access Control Warning ⚠️
+- The bot can only read channels it has been **invited to**
+- Syncing brings Slack conversations into TheHive: ensure case permissions align with channel access
+- Private Slack channels synced to non-private TheHive cases may expose sensitive information
+- Consider your organization's data governance policies before syncing channels

responders/Slack/slack.py

@@ -69,6 +69,7 @@ def run(self):
                 .lower()
             )
             channel_name = channel_name[:80]
+            self.channel_name = channel_name
 
             headers = {
                 "Authorization": f"Bearer {self.slack_token}",
@@ -192,49 +193,72 @@ def format_tlp(level):
             case_id = self.get_param("data.caseId")
             case_unique_id = self.get_param("data.id")
 
-            # Channel name format: case-CASEID
-            channel_name = (
-                f"{self.channel_prefix}{case_id}".replace(" ", "-")
-                .replace(".", "")
-                .replace(",", "")
-                .lower()
-            )
-            channel_name = channel_name[:80]
+            # Collect all channel names from tags
+            channel_names = []
+            case_tags = self.get_param("data.tags", [])
+            for tag in case_tags:
+                if tag.startswith("slack:"):
+                    channel_names.append(tag[6:])  # Remove "slack:" prefix
+
+            # Fallback to reconstructing channel name if no tags found
+            if not channel_names:
+                channel_name = (
+                    f"{self.channel_prefix}{case_id}".replace(" ", "-")
+                    .replace(".", "")
+                    .replace(",", "")
+                    .lower()
+                )
+                channel_name = channel_name[:80]
+                channel_names.append(channel_name)
 
             headers = {
                 "Authorization": f"Bearer {self.slack_token}",
                 "Content-Type": "application/json",
             }
 
-            # Find the channel
-            channel_id = self.find_existing_channel(channel_name, headers)
-            if not channel_id:
-                self.error(
-                    f"Channel '{channel_name}' not found. Create the channel first."
-                )
+            # Sync all channels
+            synced_channels = []
+            errors = []
 
-            # Get channel conversation history
-            conversation_data = self.get_channel_conversations(channel_id, headers)
+            for channel_name in channel_names:
+                try:
+                    # Find the channel
+                    channel_id = self.find_existing_channel(channel_name, headers)
+                    if not channel_id:
+                        errors.append(f"Channel '{channel_name}' not found")
+                        continue
+
+                    # Get channel conversation history
+                    conversation_data = self.get_channel_conversations(channel_id, headers)
+
+                    # Create or update TheHive task with conversation data
+                    task_id, action = self.create_or_update_thehive_task(
+                        case_unique_id, channel_name, conversation_data
+                    )
 
-            # Create or update TheHive task with conversation data
-            task_id, action = self.create_or_update_thehive_task(
-                case_unique_id, channel_name, conversation_data
-            )
+                    synced_channels.append({
+                        "channel_name": channel_name,
+                        "channel_id": channel_id,
+                        "task_id": task_id,
+                        "action": action
+                    })
+
+                except Exception as e:
+                    errors.append(f"Error syncing '{channel_name}': {str(e)}")
+
+            # Build report
+            if not synced_channels and errors:
+                self.error(f"Failed to sync channels: {', '.join(errors)}")
 
-            # Include debug info in the main report
             report_data = {
-                "channel_name": channel_name,
-                "channel_id": channel_id,
-                "task_id": task_id,
-                "action": action,
-                "message": f"Slack channel `{channel_name}` conversation {action} in TheHive task {task_id}.",
+                "synced_channels": synced_channels,
+                "total_synced": len(synced_channels),
+                "message": f"Synced {len(synced_channels)} channel(s)"
             }
-            
-            # Add debug info if we have it
-            if hasattr(self, '_last_debug_info'):
-                report_data["debug_info"] = self._last_debug_info
-                delattr(self, '_last_debug_info')
-            
+
+            if errors:
+                report_data["errors"] = errors
+
             self.report(report_data)
 
     def get_channel_conversations(self, channel_id, headers):
@@ -705,6 +729,17 @@ def create_or_update_thehive_task(self, case_id, channel_name, conversations):
 
             except Exception as e:
                 self.error(f"Failed to create task: {str(e)}")
+                
+    def operations(self, raw):
+        artifacts = []
+        # AddTagToArtifact ({ "type": "AddTagToArtifact", "tag": "tag to add" }): add a tag to the artifact related to the object
+        # AddTagToCase ({ "type": "AddTagToCase", "tag": "tag to add" }): add a tag to the case related to the object
+        # MarkAlertAsRead: mark the alert related to the object as read
+        # AddCustomFields ({"name": "key", "value": "value", "tpe": "type"): add a custom field to the case related to the object
+        if self.service == "createchannel":
+            if hasattr(self, 'channel_name'):
+                artifacts.append(self.build_operation("AddTagToCase", tag=f"slack:{self.channel_name}"))
+        return artifacts
 
 
 if __name__ == "__main__":