Send incident Teams Adaptive Card with XDR Portal links
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook will send a Teams adaptive card with incident and entity information with all links pointing to the security.microsoft.com portal
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Additional Documentation
📄 Source: Send-Incident-Teams-Adaptive-Card-XDRPortal/readme.md
Send-Incident-Teams-Adaptive-Card-XDRPortal
author: Brian Delaney
Summary
This playbook sends a Teams adaptive card with an incident report including alert details and entity information. Incident and entity links go to the security.microsoft.com portal. Sentinel must be connected to the XDR portal for this to work on all incidents.
Prerequisites
- A Microsoft 365 (M365) account to send Teams cards (the user account will be used in the Microsoft Teams connector for sending emails).
- Sentinel must be connected to the XDR Portal
Deployment instructions
- To deploy the playbook, click the Deploy to Azure button below. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Microsoft Graph Endpoint (https://graph.microsoft.com)
- Denfeder Portal Endpoint (https://security.microsoft.com)
Post-deployment Instructions
Authorize connections
Once deployment is complete, authorize the connection.
- Open the Logic App in the Azure portal.
- Click Connections
- Expand Microsoft Teams
- Click the link to Open Connection, or reassign a new one
- Sign in with the account to be used for sending email
- Click Save.
Select a Team & Channel
- With the Logic App open in the Azure portal locate the 'Post card in a chat or channel' step and click it
- Select the appropriate team in the Team drop down menu
- Select the appropriate channel in the Channel drop down menu
- Click Save
Note: If you do not see the desired Team/Channel, ensure that the user that made the connection is a member of the team and has access to the channel.
Grant Permissions
- Locate and note the Logic App managed identity id (Logic App -> Settings -> Identity)
- Locate a note the Entra ID Tenant ID (Entra ID -> Tenant ID)
- Update the PowerShell Script below with the IDs from above
- Run the PowerShell script to grant API Permissions. This can be run locally or from Cloud Shell
$MIGuid = "<LogicAppManagedIdentityId>"
$TenantId = "<TenantId>"
Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All -NoWelcome -ErrorAction Stop
$MSI = Get-MgServicePrincipal -ServicePrincipalId $MIGuid
$AppId = "00000003-0000-0000-c000-000000000000"
$permissions = @("SecurityAlert.Read.All", "SecurityIncident.Read.All")
$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$AppId'"
foreach ($PermissionName in $permissions) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MSI.Id -PrincipalId $MSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id
}
Write-Host "Assigned permissions to Managed Identity Service Principal."
Attach the playbook
- In Microsoft Sentinel, configure an automation rule to trigger this playbook when an incident is created. - Learn more about automation rules
Screenshots
Playbook
Email
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊