Open Socengineer opened 1 week ago
Pinging @elastic/response-ops (Team:ResponseOps)
Hi, this payload works for send messages to O365 workflows
The error displayed is due to not sending in adaptive card format.
curl -s -H 'Content-Type:application/json' -d '{ "type": "message", "attachments": [{ "contentType": "application/vnd.microsoft.card.adaptive", "content": { "type": "AdaptiveCard", "body": [ {"type": "TextBlock", "size": "Large", "weight": "Bolder", "text": "{{{TITLE}}}", {"type": "RichTextBlock", "inlines": [{ "type": "TextRun", "text": "{{{CONTENT}}}"}]}], "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", "version": "1.2", "msteams": { "width": "Full", "entities": []}}}]}' 'https://prod-120.westus.logic.azure.com:443/workflows/xxxxx'
The below worked for me: Instead of using the adaptive card for the action step, I used the "post message in a chat or channel" Flow steps:
Fill out the required values in under the step for "post as" , "post in" etc.,
In the "message" field I used the following expression which posts whatever the elastic sends: @{triggerBody()?['text']}
Sample configuration:
One of the issues, I faced is, the flow uses my personal team's credentials and when alert is sent from elastic, it uses my name when posting to the channel. I would like for elastic to let me know if there are any options that I can use which let's post via a custom name (for example: elasticbot via workflows) instead of using an individual's name.
Using individual's name:
I confirm that @nateshR-Insight `s solution works.
Thank you for that @nateshR-Insight There is a knowledge base article already that has a similar solution to what you described https://support.elastic.dev/knowledge/view/962c033d
The article describes an intermediate JSON parse
step but @{triggerBody()?['text']}
also works ;)
@nateshR-Insight
One of the issues, I faced is, the flow uses my personal team's credentials and when alert is sent from elastic, it uses my name when posting to the channel. I would like for elastic to let me know if there are any options that I can use which let's post via a custom name (for example: elasticbot via workflows) instead of using an individual's name.
This seems to be a limitation of Workflows, the post message in a chat or channel
documentation shows the same issue and does not offer an alternative.
I have seen people online complaining of the same issue and a proposed solution was to have a dedicated user for these workflows.
PS: Please also note that Microsoft's documentation also states:
Sending a message in private channels isn't supported.
Problem Description
Referring to https://www.elastic.co/guide/en/kibana/current/teams-action-type.html#configuring-teams Today in teams a message was automatically posted below a webhook message:
Quoted from the article:
Included with this message was a link to set up a workflow for the teams channel in question. Running through the wizard is easily enough and you end up with a URL that can be posted into the webhook URL field in elastic connectors config.
Testing this in Kibana shows successful test, but on the Microsoft side a failure is reported, referring to null data being received.
Proposed Solution
Validate together with Microsoft what actions are required from your side in regards to sending the webhook data.
Alternatives
Update elastic documentation to reflect how to correctly implement a workflow in replacement of the deprecating Teams connector.
Additional context