Post Message Teams
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will post a message in a Microsoft Teams channel when an Alert is created in Microsoft Sentinel.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
teams |
Managed | 1 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Alert_-_Get_incident | get | /Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])} |
— |
teams (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Post_a_message_(V3) | post | [concat('/v3/beta/teams/@{encodeURIComponent(''', parameters('TeamsGroupId'), ''')}', '/channels/@{encodeURIComponent(''', parameters('TeamsChannelId'), ''')}/messages')] |
— |
Additional Documentation
Post-Message-Teams (Alert Trigger)
Summary
This playbook posts a message in a Microsoft Teams channel when an alert is created in Microsoft Sentinel. The message includes key alert details such as severity, title, status, number, creation time, URL, and entities.
Prerequisites
- A Microsoft Teams account with permission to post messages to the target channel.
- Teams Group ID and Channel ID (can be found in the Teams web URL).
Deployment instructions
- To deploy the playbook, click the Deploy to Azure button below. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Teams Group ID
- Teams Channel ID
Post-deployment Instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Open the Logic App in the Azure portal.
- Click the Teams connector resource.
- Click Edit API connection.
- Click Authorize.
- Sign in.
- Click Save.
- Repeat steps for other connections as needed.
Note: The message will be sent from the user who creates the connection.
b. Assign Playbook Log Analytic Reader Role
To allow the playbook to read from the Log Analytics workspace, assign the Log Analytics Reader role to the playbook's managed identity:
- In the Azure portal, go to your Log Analytics workspace.
- Select Access control (IAM) from the left menu.
- Click Add > Add role assignment.
- In the Role dropdown, select Log Analytics Reader.
- In the Assign access to dropdown, select Managed identity.
- Click Select members, search for and select the Logic App (playbook) name/managed identity.
- Click Review + assign to complete the process.
Note: It may take a few minutes for the permissions to propagate.
c. Attach the playbook
- In Microsoft Sentinel, configure an automation rule to trigger this playbook when an alert is created.
Note: Enable the playbook if it is disabled before assigning it to the automation rule.
Screenshots
Playbook
Teams Message Example
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊