Microsoft Teams
Webhooks allow Identity Security Insights to send detection and recommendation information to a configured Teams channel.
Create a webhook integration for Microsoft Teams
Once your Incoming webhook is created, copy the generated URL for use in Insights.
- In Insights, select your tenant.
- In the upper left menu, click Insights > Integrations.
The Integrations page displays with the available integrations. - Click Webhooks or your product.
The Summary page displays. - Click Create Integration.
The Configure Integration page displays. - Enter the following information:
- Name: a name for the new webhook.
- Webhook URL: The URL generated by Teams for your new webhook.
- Webhook Template: Use the following test webhook JSON templates to test the connection and send webhooks to Teams. These templates each create a new card in Teams for a given detection or recommendation, provide additional information about the report, and include a link to the incident in Identity Security Insights.
- After a successful test with the static test data, the template can be configured. Create or change the fields and add variables as per your requirement.
Note
For more information on card formatting, see the Microsoft's documentation.
Message card
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"themeColor": "0076D7",
"summary": "A new %%incidentType%% was found.",
"sections": [
{
"activityTitle": "A new %%incidentType%% was found.",
"activitySubtitle": "%%tenantId%%",
"facts": [
{ "name": "Incident Id", "value": "%%incidentId%%" },
{ "name": "Severity", "value": "%%severity%%" },
{ "name": "Definition Id", "value": "%%definitionId%%" },
{ "name": "Definition Summary", "value": "%%definitionSummary%%" },
{ "name": "Source", "value": "%%source%%" },
{ "name": "Location", "value": "%%location%%" },
{ "name": "Entity Type", "value": "%%entityType%%" },
{ "name": "Entity Name", "value": "%%entityName%%" },
{ "name": "Timestamp", "value": "%%timestamp%%" },
{ "name": "Link", "value": "%%link%%" }
],
"markdown": true
}
],
"potentialAction": [
{
"@type": "OpenUri",
"name": "Go to %%incidentType%%",
"targets": [{ "os": "default", "uri": "%%link%%" }]
}
]
}
Adaptive card
{
"type": "message",
"attachments": [
{
"contentType": "application/vnd.microsoft.card.adaptive",
"contentUrl": null,
"content": {
"Summary": "A new %%incidentType%% was found.",
"type": "AdaptiveCard",
"actions": [
{
"type": "Action.OpenUrl",
"title": "Open %%incidentType%%",
"url": "%%link%%"
}
],
"$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
"version": "1.4",
"body": [
{
"type": "TextBlock",
"size": "Medium",
"weight": "Bolder",
"text": "A new %%incidentType%% was found.",
"spacing": "ExtraLarge",
"horizontalAlignment": "Center",
"color": "Warning"
},
{
"type": "ColumnSet",
"columns": [
{
"type": "Column",
"items": [
{
"type": "TextBlock",
"weight": "Bolder",
"text": "%%incidentType%%",
"wrap": true,
"spacing": "Large",
"color": "Accent",
"horizontalAlignment": "Left"
},
{
"type": "TextBlock",
"spacing": "None",
"text": "Created %%timestamp%%",
"isSubtle": true,
"wrap": true,
"color": "Good",
"fontType": "Default"
}
],
"width": "stretch"
}
]
},
{
"type": "TextBlock",
"text": "%%definitionSummary%%",
"wrap": true
},
{
"type": "FactSet",
"facts": [
{
"title": "Incident Type:",
"value": "%%incidentType%%"
},
{
"title": "Incident Id:",
"value": "%%incidentId%%"
},
{
"title": "Definition Id:",
"value": "%%definitionId%%"
},
{
"title": "Severity:",
"value": "%%severity%%"
}
],
"spacing": "Medium",
"separator": true
}
]
}
}
]
}
Updated 18 days ago