Using Slack

This page shows you how to install and use Slack to manage alerts and ongoing incidents in your response team's IRM Workspace.

Prerequisites

Before you can install and use the Slack app for your IRM Workspace, complete the following prerequisite steps:

  1. Ensure that your IRM Workspace has enabled the Stackdriver Incident Management & Response API (irm.googleapis.com).

    For details, see Enabling APIs.

  2. Make sure your IRM Workspace is whitelisted for the alpha release of IRM.

  3. Ensure that you have the correct Cloud IAM role Monitoring Admin for the IRM Workspace.

    For details on configuring Cloud IAM for your IRM Workspace, go to Setting up a Workspace: Grant Workspace permissions.

  4. In Slack, select the Slack Workspace that you intend to integrate with your IRM Workspace. Note that the Slack Workspace selector defaults to the last Slack Workspace with which you interacted.

  5. In your intended Slack Workspace, follow the instructions to create a new Slack user account IRM-bot.

    This user account is to be associated with the IRM Slack app, rather than with a human user.

    In the next section, you use this Slack user account to install the IRM Slack app.

Installation

After you have completed the prerequisites, install Slack for your IRM Workspace by doing the following:

  1. Navigate to the IRM console dashboard:

    Go to the IRM dashboard

  2. Click Settings .

  3. Select Slack integration. You see the Slack integration panel.

  4. Click Add to Slack. You are directed to an authorization panel in Slack.

  5. In the Slack panel, select the Slack Workspace that you intend to integrate with IRM. Note that the Slack Workspace selector defaults to the last Slack Workspace with which you interacted.

  6. Click Allow. You're redirected to the Slack integration panel in the IRM console. You see a message, "The IRM Slack app is configured for this Workspace".

  7. Under Alert channel, select a Slack channel. Use auto-fill typing to select from your available Slack channels.

    Incoming alerts for this IRM Workspace will be sent to this Slack channel.

  8. Click Save.

  9. Follow the Slack login prompts to authorize the Slack app.

    The first time you use the Slack bot, it prompts you to log into your Google account. After this, the Slack app is installed for IRM and your Slack user is associated with your Google account.

  10. You see IRM-bot as a new contact in your Slack Workspace.

Manage alerts in Slack

Now that you've installed the Slack app, you're ready to view and manage new alerts for your IRM Workspace, similar to how you manage your alerts in the IRM console.

The Slack bot posts incoming alerts from your IRM Workspace into the Slack channel:

New alert in Slack channel

Each alert post features the following information:

The following sections describe behaviors in IRM and Slack, when you take action on an alert.

Acknowledge alerts and create new incidents

In the alert's post, you can select Ack & create new incident. This opens a Create incident panel where you can edit the incident's title and severity, as well as add an investigation update.

After you click Create, a new Slack channel, unique to the incident and labeled with the incident title you provided, appears in your Slack workspace. Within this incident's channel, you can manage the incident.

Add alerts to existing incidents

If you think an alert pertains to an existing incident, select Add to existing in the alert's post. This opens the Add to incident panel, where you can select from the incidents available in the IRM Workspace.

Acknowledge alerts

To only acknowledge an alert without assigning it to an incident, expand the More menu and select Acknowledge.

You can further examine the alert and take action on it in the IRM console by clicking on the alert's URL that appears in the Slack channel.

Dismiss alerts

If the alert is a false positive, expand the More menu and select Dismiss. This opens an Update panel that prompts you to type in an investigation update. Investigation updates facilitate continuous learning and help to identify any trends among common false-positives alerts.

After you click Dismiss, the alert is acknowledged and added to an incident with severity Negligible and stage set to Resolved.

The alert's URL also appears in the Slack channel. Clicking on the URL takes you to the IRM console, where you can further examine the alert and take any necessary further action.

Manage incidents in Slack

Similar to the IRM console, you can manage your incidents from alert detection to incident resolution from your Slack channel.

Incident data appears in your alerts channel when interact with an incident. If you create a new incident in the alerts channel, the new incident's Slack channel, labeled with the incident title you provided, appears in your Slack workspace.

Each incident overview lists the following information if it is available:

Incident data in Slack channel

Update incident data

You can edit incident data directly from your Slack channels. All changes made in the Slack channel are reflected in the IRM console. Note that if you change or create an incident in IRM, you won't see any corresponding updates in the Slack channel, unless the Slack channel is subscribed to the incident.

When an incident is first posted to the incident-specific Slack channel, the initial incident overview contains a Take action menu:

Update incident data in Slack channel

Expand the Take action menu to do the following:

  • Add alerts
  • Add tags
  • Add roles
  • Add investigation updates
  • Edit summary

In addition, this menu links to both the alert details view, pointing to information about the alert from which this incident was created, and the underlying alerting policy.

Commands

You can also use the following commands to edit incident data and help manage ongoing incidents in Slack:

Command Function
/irm help Prints a list of commands and short semantics info.
/irm stage Sets the stage of the incident.
/irm summary Sets the summary of the incident.
/irm title Sets the title of the incident.
/irm tags Adds a tag to the incident.
/irm overview Prints top-level information for the incident (e.g. Summary).
/irm update Add a new investigation update to the incident.
/irm severity Set the severity of the incident.
/irm alerts Lists all added alerts to current incident channel.
/irm add-alert Add an alert to the incident.
/irm role Assign a user with a role to the incident.

Any commands run within an incident channel affect only that incident. These commands won't work in non-incident channels.

Resolve incidents

Once you have verified that conditions have returned to normal or otherwise that the incident no longer requires an active response, you can mark the incident Resolved. Do the following within the incident channel:

  1. Type /irm stage. A panel appears.

  2. In Update stage > New stage, select Resolved.

  3. Add an investigation update.

  4. Click Update.

If you later need to return to a stage, use the /irm stage command again and update the stage as needed.

Archive incident channels

When you have resolved an incident, you can archive its incident-specific Slack channel. Do the following within the incident channel:

  1. Locate the message, "Archive channel".

    This message was generated when you resolved the incident.

  2. Click Archive channel.

The incident channel is now archived and won't show up in your Slack workspace's list of active channels. For more information, go to the Slack documentation.