This page shows you how to install and use Slack to manage alerts and ongoing incidents in your response team's IRM Workspace.
Before you can install and use the Slack app for your IRM Workspace, complete the following prerequisite steps:
Ensure that your IRM Workspace has enabled the Stackdriver Incident Management & Response API (
For details, see Enabling APIs.
Make sure your IRM Workspace is whitelisted for the alpha release of IRM.
Ensure that you have the correct Cloud IAM role
Monitoring Adminfor the IRM Workspace.
For details on configuring Cloud IAM for your IRM Workspace, go to Setting up a Workspace: Grant Workspace permissions.
In Slack, select the Slack Workspace that you intend to integrate with your IRM Workspace. Note that the Slack Workspace selector defaults to the last Slack Workspace with which you interacted.
In your intended Slack Workspace, follow the instructions to create a new Slack user account
This user account is to be associated with the IRM Slack app, rather than with a human user.
In the next section, you use this Slack user account to install the IRM Slack app.
After you have completed the prerequisites, install Slack for your IRM Workspace by doing the following:
Navigate to the IRM console dashboard:
Click Settings settings_applications.
Select Slack integration. You see the Slack integration panel.
Click Add to Slack. You are directed to an authorization panel in Slack.
In the Slack panel, select the Slack Workspace that you intend to integrate with IRM. Note that the Slack Workspace selector defaults to the last Slack Workspace with which you interacted.
Click Allow. You're redirected to the Slack integration panel in the IRM console. You see a message, "The IRM Slack app is configured for this Workspace".
Under Alert channel, select a Slack channel. Use auto-fill typing to select from your available Slack channels.
Incoming alerts for this IRM Workspace will be sent to this Slack channel.
Follow the Slack login prompts to authorize the Slack app.
The first time you use the Slack bot, it prompts you to log into your Google account. After this, the Slack app is installed for IRM and your Slack user is associated with your Google account.
You see IRM-bot as a new contact in your Slack Workspace.
Manage alerts in Slack
Now that you've installed the Slack app, you're ready to view and manage new alerts for your IRM Workspace, similar to how you manage your alerts in the IRM console.
The Slack bot posts incoming alerts from your IRM Workspace into the Slack channel:
Each alert post features the following information:
- Alert title
- Alert status
- Timestamp of when the violation started
- Alert summary
- Links to Cloud Logging, Metrics Explorer, and the underlying alerting policy, scoped to the context of the alert
- A list of similar incidents
The following sections describe behaviors in IRM and Slack, when you take action on an alert.
Acknowledge alerts and create new incidents
In the alert's post, you can select Ack & create new incident. This opens a Create incident panel where you can edit the incident's title and severity, as well as add an investigation update.
After you click Create, a new Slack channel, unique to the incident and labeled with the incident title you provided, appears in your Slack workspace. Within this incident's channel, you can manage the incident.
Add alerts to existing incidents
If you think an alert pertains to an existing incident, select Add to existing in the alert's post. This opens the Add to incident panel, where you can select from the incidents available in the IRM Workspace.
To only acknowledge an alert without assigning it to an incident, expand the More more_horiz menu and select Acknowledge.
You can further examine the alert and take action on it in the IRM console by clicking on the alert's URL that appears in the Slack channel.
If the alert is a false positive, expand the More more_horiz menu and select Dismiss. This opens an Update panel that prompts you to type in an investigation update. Investigation updates facilitate continuous learning and help to identify any trends among common false-positives alerts.
After you click Dismiss, the alert is acknowledged and added to an incident with severity Negligible and stage set to Resolved.
The alert's URL also appears in the Slack channel. Clicking on the URL takes you to the IRM console, where you can further examine the alert and take any necessary further action.
Manage incidents in Slack
Similar to the IRM console, you can manage your incidents from alert detection to incident resolution from your Slack channel.
Incident data appears in your alerts channel when interact with an incident. If you create a new incident in the alerts channel, the new incident's Slack channel, labeled with the incident title you provided, appears in your Slack workspace.
Each incident overview lists the following information if it is available:
- Incident title
- Number of associated alerts
- Duration (at the time of the Slack interaction)
Update incident data
You can edit incident data directly from your Slack channels. All changes made in the Slack channel are reflected in the IRM console. Note that if you change or create an incident in IRM, you won't see any corresponding updates in the Slack channel, unless the Slack channel is subscribed to the incident.
When an incident is first posted to the incident-specific Slack channel, the initial incident overview contains a Take action menu:
Expand the Take action more_horiz menu to do the following:
- Add alerts
- Add tags
- Add roles
- Add investigation updates
- Edit summary
You can also use the following commands to edit incident data and help manage ongoing incidents in Slack:
||Prints a list of commands and short semantics info.|
||Sets the stage of the incident.|
||Sets the summary of the incident.|
||Sets the title of the incident.|
||Adds a tag to the incident.|
||Prints top-level information for the incident (e.g. Summary).|
||Add a new investigation update to the incident.|
||Set the severity of the incident.|
||Lists all added alerts to current incident channel.|
||Add an alert to the incident.|
||Assign a user with a role to the incident.|
Any commands run within an incident channel affect only that incident. These commands won't work in non-incident channels.
Once you have verified that conditions have returned to normal or otherwise that the incident no longer requires an active response, you can mark the incident Resolved. Do the following within the incident channel:
/irm stage. A panel appears.
In Update stage > New stage, select Resolved.
Add an investigation update.
If you later need to return to a stage, use the
/irm stage command again
and update the stage as needed.
Archive incident channels
When you have resolved an incident, you can archive its incident-specific Slack channel. Do the following within the incident channel:
Locate the message, "Archive channel".
This message was generated when you resolved the incident.
Click Archive channel.
The incident channel is now archived and won't show up in your Slack workspace's list of active channels. For more information, go to the Slack documentation.