Skip to main content
Request a Demo

ThreatConnect and Slack: Streamline Investigative Team Collaboration

ThreatConnect has revamped our existing integration with Slack by leveraging their latest APIs and Authentication, doing this allows us to include a ton more functionality. With Playbooks, you can automatically keep team members informed, get instant updates with notifications or escalations, and create channels as part of investigations. By automating this process, you turn your Slack workspace into a workbench to quickly work through investigations and remediations.

ThreatConnect Slack Playbook App

The following use cases are now enabled with this app:

  • Human in the loop orchestration.  As part of an investigation, you can require approval from certain individuals or teams before they take place. Human in the loop orchestration goes to another level when you can send a Slack message to a team member asking them to approve the action. When they approve the rest of the Workflow or orchestration, it can proceed in an efficient manner.
  • Instant updates with notifications/escalations. As part of a Security Workflow or Playbook, it may become necessary to notify a team member of the need to take action via Slack message. Depending on the course of a security investigation, many teams or team members may need to be involved, sometimes in a timely manner.  This is especially true after hours. The Slack app for ThreatConnect can be integrated into any ThreatConnect Playbook to send a Slack or other message and ensure its delivery as part of a critical security process.
  • Create a Slack Channel as Part of Investigation. As part of an investigation, you can create a workspace to share communications. With Playbooks, you can create a Slack channel as part of an investigation process, invite relevant team members to the channel,  and then post updates as the investigation unfolds.  You can also use it to request permission for an action or to notify a user that they need to take an action.

The following actions are available:

  • Send Message: Sends a message to a channel. This action can send a simple text message as well as message blocks from the Block Builder action. 
  • Block Builder: Creates a Block to be used as part of the Send Message action.
  • Create Channel: Creates a public or private channel-based conversation.
  • Invite User to Channel: Invites users to a channel.

Together, ThreatConnect and Slack help users to automate the creation of Slack messages or channels as part of security processes or investigations. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on how to take advantage of the Slack Playbook App. If you’re not yet a customer and are interested in ThreatConnect, contact

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at