Sending incident from Sentinel to Teams

Laszlo Pal 35

Hi, I'm struggling with some very simple automation where Sentinel incidents should be forwarded to Teams channelIn SOAR Essentials there are two solutions for this Post Message to Teams and Send Adaptive Card The first is simpler, it uses Microsoft Sentinel incident as a trigger, then based on this it will compose a simple post to the teams channel. It seems ok at least when I manually trigger the playbook on an incident, but it seems it is not triggered by incident creation The second is even more interesting (and to be honest for my usecase this is what I really need). When I manually trigger I'm getting the following error in 'Post Teams' step The request failed. Error code: 'BotRequestFailed'. Error Message: 'Request to the Bot framework failed with error: '{"error":{"code":"BotNotInConversationRoster","message":"The bot is not part of the conversation roster."}}'.'. Did anyone used any of these so can help me this issue? Thank you Laszlo

Laszlo Pal 35 Reputation points

2024-02-16T12:41:36.23+00:00

It seems the original issue is solved by creating a 'Standard' channel and not a private one. However a new issue arises. When I click on close incident on the adaptive card, it is failed on Sentinel side with permission issues. So the question here what credential is used for the teams -> sentinel direction or how to modify the playbook to work properly by closing the incident from teams?
Lee Seeman 16 Reputation points

2024-09-24T21:51:15.51+00:00

I have the same issue, the logic app fails here with unauthorized - not a member of Teams channel. Any help would be greatly appreciated
Lee Seeman 16 Reputation points

2024-09-26T14:18:48.22+00:00

I got it working, BUT the Logic App is using my account to send to Teams channel. This is NO good since it depends on my account instead of a "service account", anyone in our team that received the Teams post and uses the Respond options in the post will be making incident changes on behalf of my account instead of their own, lastly, what happens in the future if my account gets disabled for any reason?
Lee Seeman 16 Reputation points

2024-09-26T16:35:50.71+00:00
Some outstanding issues / questions I have with this:

How to have the Logic App send the incident to Teams channel without using someone individual account that's a member of the Team group managing the channel?

How to show the incident post in the Teams channel to show as sent from 'Sentinel' and not 'Workflow' after you use the Respond option in the card to update the incident from Teams? This would be very helpful to track where the incident came from since after the Respond options are used, the incident info disappears and changes to 'Thanks for your response'

How to add a response option to change incident owner from a list of team members from the Teams post.

I would love to add the option to change/update the status of incident from the Teams post.
Lee Seeman 16 Reputation points

2024-10-04T14:23:55.81+00:00

Due to the Adaptive Card shortcomings I noted, as a workaround I am now looking into a Playbook / Logic App to use a HTTP action POST with the Teams Webhook URL instead (no Teams auth).

However, the JSON body in the HTTP trigger is difficult to get the format right. Currently this is my JSON body for the Teams post:

"HTTP_2": { "inputs": { "body": { "attachments": [ { "content": { "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", "body": [ { "text": "**Creation time**: @{triggerBody()?['object']?['properties']?['createdTimeUtc']}", "type": "TextBlock" }, { "text": "**Title**: @{triggerBody()?['object']?['properties']?['title']}", "type": "TextBlock" } { "text": "**ID**: @{triggerBody()?['object']?['properties']?['incidentNumber']}", "type": "TextBlock" }, { "text": "**Severity**: @{triggerBody()?['object']?['properties']?['severity']}", "type": "TextBlock" }, { "text": "**Description**: @{triggerBody()?['object']?['properties']?['description']}", "type": "TextBlock" }, { "text": "**URL**: @{triggerBody()?['object']?['properties']?['incidentUrl']}", "type": "TextBlock" }, ], "type": "AdaptiveCard", "version": "1.2" }, "contentType": "application/vnd.microsoft.card.adaptive", "contentUrl": null } ], "type": "message" }, "headers": { "Content-Type": "application/json" },

Can anyone help with JSON formatting?

Accepted answer

JamesTran-MSFT 36,631 Reputation points Microsoft Employee

2024-02-16T20:27:20.8166667+00:00
@Laszlo Pal

Thank you for your detailed post!

When walking through the Send-Teams-adaptive-card-on-incident-creation GitHub repo and testing the template that was deployed, I ran into the same permissions error. To hopefully help point you in the right direction, I'll share the troubleshooting steps I took to resolve the issue.

Error Message
Forbidden: The client '...5e59 with object id '...5e59' does not have authorization to perform action 'Microsoft.SecurityInsights/incidents/read' over scope '/subscriptions/....../incidents/c2243ad93967' or the scope is invalid....

After reviewing the full error message, I double checked the connections that were deployed with the template and noticed that the MicrosoftSentinel-Send-Teams-adaptive-card-on-incident-creation API connection uses a Managed Identity.

Navigating to the Send-Teams-adaptive-card-on-incident-creation Logic App -> Identity, you should find that the Client ID and Object ID referenced within the error message is that of the Logic Apps' System Assigned Managed Identity.

Since the Playbook's Managed Identity doesn't have the correct permissions, I assigned the Microsoft Sentinel Responder role to it by selecting the Azure role assignments button. For more info.

Note: I also noticed that the Post Deployment section of the GitHub repo also details the required Managed Identity permissions.

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Please sign in to rate this answer.

1 person found this answer helpful.
Laszlo Pal 35 Reputation points

2024-02-19T15:26:56.1+00:00

Thank you very much for your detailed explanation

Lee Seeman 16 Reputation points

2024-09-19T17:19:33.1066667+00:00

Can someone confirm this is the supported steps / method to push all Sentinel Incidents to an existing Teams channel?

We'd like to use an existing Teams channel named Alerts to investigate and document related work for each Incident/alert.

Laszlo Pal 35 Reputation points

2024-09-20T05:20:12.95+00:00

It is working for me for a standard channel

Lee Seeman 16 Reputation points

2024-09-24T15:57:48.43+00:00

I found this very informational and helpful. Is this the supported solution to push Sentinel incidents to a Teams channel, where each incident is a single post in the Teams channel for analysts to reply with investigation evidence, etc. ?

Lee Seeman 16 Reputation points

2024-09-24T19:18:14.9566667+00:00

Can you show me an example in the Logic app workflow to only post to Teams channel if severity is High ?

===

UPDATE: I actually figured it out and put the severity condition for 'high' in the automation rule within Sentinel that runs the playbook.

Lee Seeman 16 Reputation points

2024-09-24T21:33:06.4233333+00:00

When the playbook runs, I get this error message in the log app for step 'post adaptive card and wait for a response':

Unauthorized. The request failed. Error code: 'UnauthorizedSenderForChannelNotification'. Error Message: 'The sender with objectId '76a5ea27-b7e6-48a4-88d0-xxxxxxxxxxxxx' is not a member or an owner of the team or channel.'.

I obfuscated the ID above, but the ID is not resolving to a known account. What objectID is that for?

Lee Seeman 16 Reputation points

2024-09-25T19:48:44.9266667+00:00

So it appears its failing with 'Unauthorized. The request failed. Error code: 'UnauthorizedSenderForChannelNotification'. Error Message: 'The sender with objectId '76a5ea27-b7e6-48a4-88d0-xxxxxxxxxxxxx' is not a member or an owner of the team or channel.'.'

However, the team that manages the standard channel in Teams does not have the referenced ObjectID/account as a member and it shouldn't since its a privileged account.

How can I change the Log App to use a different account, one that is already a member of the team that manages the channel?

Lee Seeman 16 Reputation points

2024-09-26T14:50:07.3366667+00:00

I got it working, BUT the Logic App is using my account to send to Teams channel. This is NO good since it depends on my account instead of a "service account", anyone in our team that interacts with the Teams channel incident post will be making incident changes on behalf of my account instead of their own, lastly, what happens in the future if my account gets disabled for any reason?

Lee Seeman 16 Reputation points

2024-09-26T14:51:15.1666667+00:00

I would love it if we can add to the Respond options in the Teams post with the ability to change the assignee/owner of the incident. Can someone help me?

Lee Seeman 16 Reputation points

2024-10-04T14:24:14.1266667+00:00

Due to the Adaptive Card shortcomings I noted, as a workaround I am now looking into a Playbook / Logic App to use a HTTP action POST with the Teams Webhook URL instead (no Teams auth).

However, the JSON body in the HTTP trigger is difficult to get the format right. Here is what I was finally able to use for the Logic App code:

{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "actions": { "HTTP": { "inputs": { "body": { "text": "Creation time : @{triggerBody()?['object']?['properties']?['createdTimeUtc']} Title : @{triggerBody()?['object']?['properties']?['title']} ID : @{triggerBody()?['object']?['properties']?['incidentNumber']} Severity : @{triggerBody()?['object']?['properties']?['severity']} Description : @{triggerBody()?['object']?['properties']?['description']} URL : <a href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"> @{triggerBody()?['object']?['properties']?['incidentUrl']}</a> " }, "headers": { "Content-Type": "application/json" }, "method": "POST", "uri": "<your WebhookURLHere" }, "runAfter": {}, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } }, "type": "Http" } }, "contentVersion": "1.0.0.0", "outputs": {}, "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "triggers": { "Microsoft_Sentinel_incident": { "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/incident-creation" }, "type": "ApiConnectionWebhook" } } }, "parameters": { "$connections": { "value": { "azuresentinel": { "connectionId": "/subscriptions/bb61c698-5616-4156-8f9e-af3971e2e5e0/resourceGroups/lhg-infosec-logs/providers/Microsoft.Web/connections/azuresentinel-Post-Message-to-Teams", "connectionName": "azuresentinel-Post-Message-to-Teams", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } }, "id": "/subscriptions/bb61c698-5616-4156-8f9e-af3971e2e5e0/providers/Microsoft.Web/locations/westus2/managedApis/azuresentinel" } } } }}

Can anyone help with JSON formatting?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Sending incident from Sentinel to Teams

0 additional answers

Your answer