Send-Teams-adaptive-card-on-incident-creation - Teams Sender Issue

[Guruleenyc]

I got the Send-Teams-adaptive-card-on-incident-creation working with the Playbook and Automation rule, BUT the Logic App is using my account to send to Teams channel. This is NO good since it depends on my account instead of a "service account", anyone in our team that interacts with the Teams channel incident post will be making incident changes on behalf of my account instead of their own, lastly, what happens in the future if my account gets disabled for any reason?

How can we have the Logic App use a managed identity or "service account" so Sentinel incidents in Teams are not bound to a single employees account?

[Guruleenyc]

Circling back on this. Is there any way to have the Sentinel send incidents to a Teams channel without having the Logic App depend on a user account to authenticate to Teams that is a member of the Teams group? We do not want the incidents to appear as though they are being sent by a specific team member in the Teams channel, rather they are being sent by Sentinel.

[v-rusraut]

Hi @Guruleenyc, thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[Guruleenyc]

Due to the Adaptive Card shortcomings, I noted, as a workaround I shifted hears to a Playbook / Logic App using a HTTP action POST with the Teams Webhook URL. However, the JSON body in the HTTP trigger is tricky to get the format right. I was able to get the right formatting of the Teams post using this Logic App code:

{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "actions": { "HTTP": { "inputs": { "body": { "text": "<b>Creation time : </b>@{triggerBody()?['object']?['properties']?['createdTimeUtc']} <br/><br/><b>Title : </b> @{triggerBody()?['object']?['properties']?['title']}<br/><br/><b>ID : </b>@{triggerBody()?['object']?['properties']?['incidentNumber']}<br/><br/><b>Severity : </b>@{triggerBody()?['object']?['properties']?['severity']} <br/><br/><b>Description : </b>@{triggerBody()?['object']?['properties']?['description']}<br/><br/><b>URL : </b><a href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"> @{triggerBody()?['object']?['properties']?['incidentUrl']}</a><br/><br/>" }, "headers": { "Content-Type": "application/json" }, "method": "POST", "uri": "YourWebhookURLHere" }, "runAfter": {}, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } }, "type": "Http" } }, "contentVersion": "1.0.0.0", "outputs": {}, "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "triggers": { "Microsoft_Sentinel_incident": { "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/incident-creation" }, "type": "ApiConnectionWebhook" } } }, "parameters": { "$connections": { "value": { "azuresentinel": { "connectionId": "/subscriptions/bb61c698-5616-4156-8f9e-af3971e2e5e0/resourceGroups/lhg-infosec-logs/providers/Microsoft.Web/connections/azuresentinel-Post-Message-to-Teams", "connectionName": "azuresentinel-Post-Message-to-Teams", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } }, "id": "/subscriptions/bb61c698-5616-4156-8f9e-af3971e2e5e0/providers/Microsoft.Web/locations/westus2/managedApis/azuresentinel" } } } }}