Advanced ServiceNow Teams Integration Playbook

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.

Attribute	Value
Type	Playbook
Solution	Teams
Source	View on GitHub

Logic App Connectors

This playbook uses 8 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`arm`	Managed	1	5
`azuresentinel`	Managed	1	0
`azuresentinel_2`	Managed	0	1
`service-now`	Managed	1	4
`teams`	Managed	1	3
`virustotal`	Managed	1	1
`http`	Built-in	0	1
`workflow`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`arm` (Managed)

Action	Method	Endpoint	Other
Get_playbook_callback_URL	post	`/subscriptions/@{encodeURIComponent(outputs('split_the_resource_ID')[2])}/resourcegroups/@{encodeURIComponent(outputs('split_the_resource_ID')[4])}/providers/@{encodeURIComponent('Microsoft.Logic')}/@{encodeURIComponent('workflows/',outputs('split_the_resource_ID')[8])}/@{encodeURIComponent('triggers/',body('Get_resource_trigger_name')?['value'][0]['name'],'/listCallbackUrl')}`	—
Get_resource_trigger_name	get	`/subscriptions/@{encodeURIComponent(outputs('split_the_resource_ID')[2])}/resourcegroups/@{encodeURIComponent(outputs('split_the_resource_ID')[4])}/providers/@{encodeURIComponent('Microsoft.Logic')}/@{encodeURIComponent('workflows/',outputs('split_the_resource_ID')[8],'/triggers')}`	—
Read_a_resource	get	`/subscriptions/@{encodeURIComponent(outputs('split_the_resource_ID')[2])}/resourcegroups/@{encodeURIComponent(outputs('split_the_resource_ID')[4])}/providers/@{encodeURIComponent('Microsoft.Logic')}/@{encodeURIComponent('workflows/',outputs('split_the_resource_ID')[8])}`	—
List_resources_by_subscription	get	`/subscriptions/@{encodeURIComponent(item()?['subscriptionId'])}/resources`	—
List_subscriptions	get	`/subscriptions`	—

`azuresentinel_2` (Managed)

Action	Method	Endpoint	Other
Azure_Sentinel_-_Add_comment_to_related_Incident	post	`/Incidents/Comment`	—

`service-now` (Managed)

Action	Method	Endpoint	Other
ServiceNow_-_Create_Record_for_Incident	post	`/api/now/v2/table/@{encodeURIComponent('incident')}`	—
ServiceNow_-_Add_additional_comments_in_ServiceNow_Ticket	put	`/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('ServiceNowSystemID'))}`	—
ServiceNow_-_Query_for_Sentinel_Incident_Number	get	`/api/now/v2/table/@{encodeURIComponent('incident')}`	—
ServiceNow_-_Update_Record_with_Response_from_User	put	`/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('ServiceNowSystemID'))}`	—

`teams` (Managed)

Action	Method	Endpoint	Other
Teams_-_Reply_to_Alert_Thread	post	`/v2/beta/teams/@{encodeURIComponent(parameters('TeamsGroupId'))}/channels/@{encodeURIComponent(parameters('AlertChannelId'))}/messages/@{encodeURIComponent(body('Post_Incident_in_SOC_Alerts_Channel')?['id'])}/replies`	—
Post_Incident_in_SOC_Alerts_Channel	post	`/v1.0/teams/conversation/adaptivecard/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}`	—
Update_Incident_Thread_from_Investigation_Response	post	`/v2/beta/teams/@{encodeURIComponent(parameters('TeamsGroupId'))}/channels/@{encodeURIComponent(parameters('AlertChannelId'))}/messages/@{encodeURIComponent(body('Post_Incident_in_SOC_Alerts_Channel')?['id'])}/replies`	—

`virustotal` (Managed)

Action	Method	Endpoint	Other
Get_an_IP_report	get	`/api/v3/ip_addresses/@{encodeURIComponent(items('For_each')?['properties']?['Address'])}`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Call_the_playbook_and_pass_alert_to_playbook	POST	`@{body('Find_playbook_based_on_playbook_name_provided')[0]?['callbackUrl']}`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
LogicApp_-_Get_tagged_playbooks	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookName'),'-fn-getListOfTaggedPlaybooks')]` triggerName=`manual`

Additional Documentation

📄 Source: Advanced-ServiceNow-Teams-Integration/readme.md

Advanced - ServiceNow & Teams Integration

Author: Jing Nghik

Alt Text

This arm template will deploy multiple logic app playbooks and api connectors.

(Main playbook) <playbookName>-workflow-incident
(playbook function) - <playbookName>-function-getListOfTaggedPlaybooks This playbooks purpose is to locate any playbooks that have been tagged with playbook to populate the Investigation Response list dynamically.
(Check IP - Example playbook) - <playbookName>-checkIPOnVirusTotal - Simple playbook to check IP on VirusTotal. This playbook is an example that will be available in Microsoft Sentinel and the main playbook.
All the API connectors are reused across the same playbook to prevent duplicate API connectors created.

Updates

Migrated playbook to support incidents instead of alerts
fixed some JSON parsing problems with adaptive cards by adding an compose action to render the card.

Video Walkthrough

Requirements

In order to fully utilize this playbook. There are a number of pre-configuration steps required before deploying the Logic App.

You will need the following:

ServiceNow instance URL, Username, and password You can create a dev environment to test with for free at https://developer.servicenow.com/dev.do
access/authorization to enable api connectors for Azure resource manager, teams, and Microsoft Sentinel.
Teams Group ID, Alert Channel ID, Investigation Response Channel ID The group ID and Channel ID can be obtained by going to Teams and getting the link which has the values you need for the parameters. (Will need to URL decode it if there are special characters). URL Decoder Link
Investigation Channel ID can also use the same ID as alert channel if desired.

Workflow

Based on the rules, Microsoft Sentinel triggers an incident or alert.
This runs a linked playbook that first will check to determine if an existing serviceNow ticket already exists with the same incident ID (to prevent duplicate tickets)
The ticket is opened in serviceNow and a Teams message is created in the Alerts channel with alert/incident details.
A corresponding investigation response message is sent with a list of available playbooks that can be run from teams.
Based on selected playbooks submitted, the playbooks are ran ad-hoc by routing the alert body to the selected playbook.
If the executed playbook returns a response, that message is updated in the related serviceNow ticket, commented in the Microsoft Sentinel Incident, and also added added as a reply to the Initial Teams Alert message.

Setup Steps

Click Deploy to Azure and fill in parameters
Populate the Teams Group and Channel IDs to ensure it messages are generated in the right channel.
Search for API connectors and find the deployment prefix and fix any connectors by authorizing the connection.
Manually trigger an Microsoft Sentinel alert to test.

Deploy the ARM template

Thanks!

Thank you to the following people for contributing to my efforts in building this playbook!

Twitter @thijslecomte - For showing me how to make my first template!
Jan Ignacio, Joey Cruz, Sreedhar Ande, Nicholas Dicola, Rod Trent, Nathan Swift for pushing me to contribute to this repo, testing, and feedback.

Todo list

Have the playbook support buth alerts and incidents. (Only works for alerts)
A way to support other messaging services and ticketing platforms
selectable card templates
Way to not create a new teams thread if one already exists.
support pager duty and teams on-call.