IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Microsoft Teams for SOAR configuration

  • 1.  Microsoft Teams for SOAR configuration

    Posted Tue May 11, 2021 09:03 AM
    Edited by Paweł Fri May 14, 2021 05:20 AM
    Hello,

    Do anyone know how to config MS Teams application for SOAR?
    In documentation are no information. I would like to use MS teams for notification of new incident and tasks. Maybe someone can share with configuration?

    Paweł


  • 2.  RE: Microsoft Teams for SOAR configuration

    Posted Thu May 13, 2021 09:24 AM
    Hi Pawet, 


    The first place you're going to start is configuring your app.config file with the Microsoft Teams' webhooks. Each webhook will refer to a different channel for sending messages. You will label your channels in any meaningful way for your use. This link would give you information on setting up a webhook. https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using.

    [fn_teams]
    channel_name=<teams channel webhook>


    Within your workflow, you'll setup your function to indicate which Teams channel you're sending content to. The example workflow shows how data can be formatted into the format the webhook requires (an ActionCard). You should be able to run the example rule and workflow to get a feel for the formatting required and then you can create your own format as necessary.

    Good luck,

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Microsoft Teams for SOAR configuration

    Posted Fri May 14, 2021 05:20 AM
    Edited by Paweł Fri May 14, 2021 05:28 AM

    Hi Mark,
    Thank you for the answer. I already created webhook on teams and tested from powershell - it's working. My team called Resilient Integration and the channel is Incidents.

    I configured app in apphost as you see on the screenshot below. But I get errors (2nd screenshot).



    What could be wrong? On last screenshot you can see results of selftest.


    Paweł




  • 4.  RE: Microsoft Teams for SOAR configuration

    Posted Fri May 14, 2021 07:52 AM
    Based on the error, it looks like you placed the webhook url in the function 'teams_channel' input field rather than the label ('channel_name') you specified in the app.config. The label is meant to be an easier way to refer to the webhook url.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: Microsoft Teams for SOAR configuration

    Posted Fri May 14, 2021 09:15 AM
    Edited by Paweł Fri May 14, 2021 09:53 AM
    Thank you very much, is working now.


  • 6.  RE: Microsoft Teams for SOAR configuration

    Posted Wed October 05, 2022 07:03 AM
    Edited by Ravoth PN Wed October 05, 2022 07:07 AM
    Hi @Mark Scherfling,

    We configured SOAR configuration for FN_Teams like Mr. Pawet and perform testing app.config, we got the message error below:
    "
    Error while calling selftest. Exception: 'MissingSchema' object has no attribute 'message'
    "

    Could you help to advise on that? 


    Best Regards,
    PRV




  • 7.  RE: Microsoft Teams for SOAR configuration

    Posted Fri October 07, 2022 08:51 AM
    Hi Ravoth,
    The existing implementation of the selftest function is slightly outdate, and so we are unable to see exactly what the error is in this case. Irrespective of that, the actual problem here could be due to incorrectly configured "Incoming webhooks". To properly generate this "Incoming Webhook" for a channel, you can follow this link https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhookThis then can be set to the "selftest" options in the app.conf file. A screenshot of this has been attached for your reference.
     
     
    Warm regards,
    Calvin



    ------------------------------
    Calvin Wynne
    ------------------------------



  • 8.  RE: Microsoft Teams for SOAR configuration

    Posted Fri October 07, 2022 08:51 AM
    Hi Ravoth,
    The existing implementation of the selftest function is slightly outdate, and so we are unable to see exactly what the error is in this case. Irrespective of that, the actual problem here could be due to incorrectly configured "Incoming webhooks". To properly generate this "Incoming Webhook" for a channel, you can follow this link https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhookThis then can be set to the "selftest" options in the app.conf file. A screenshot of this has been attached for your reference.
     
     
    Warm regards,
    Calvin



    ------------------------------
    Calvin Wynne
    ------------------------------



  • 9.  RE: Microsoft Teams for SOAR configuration

    Posted Mon October 24, 2022 10:37 AM
    Hello,

    I have the same problem as Paweł, but nothing from recommendations work on my end. I've tried all possible combination for the webhook and channel name, but no luck.
    As you can see from the screenshots, the self test works correctly, but I always get an error when I try to submit an incident.


    any suggestions where i'm going wron
    any suggestions where i'm going wrong
    any suggestions where i'm going wrongAny suggestions where I'm going wrong?
    Thank you!

    ------------------------------
    Yuliyan Dimitrov
    ------------------------------



  • 10.  RE: Microsoft Teams for SOAR configuration

    Posted Mon October 24, 2022 09:37 AM
    Edited by Portia Melita Mon October 24, 2022 10:37 AM
    Hello,

    I have the same problem, but the solution provided did not work on my end. I've tried all possible combination for webhook and channel name but no luck.
    This is my configuration and self test is working properly, but I always receive the same error when I run the workflow.



    Any suggestions what I'm not doing right?
    Thank you!


    ------------------------------
    Yuliyan Dimitrov
    ------------------------------



  • 11.  RE: Microsoft Teams for SOAR configuration

    Posted Mon October 24, 2022 11:04 AM
    Hi Yuliyan,

    It looks like you're trying to use the channel 'Resilient' - not upper case 'R'. I believe channels are all lower case. Can you try 'resilient'?

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 12.  RE: Microsoft Teams for SOAR configuration

    Posted Tue October 25, 2022 03:08 AM
    Hi Mark,

    Unfortunately, the same result



    I renamed the teams chat, generated a new webhook and changed to "resilient" in all possible places.


    ------------------------------
    Yuliyan Dimitrov
    ------------------------------



  • 13.  RE: Microsoft Teams for SOAR configuration

    Posted Tue October 25, 2022 07:23 AM
    Hi Yuliyan,

    The problem here is that teams_channel = resilient is not a valid option. Could you please try the following ?

    1. Change channel_name=https://webook.office .... to resilient=https://webhook .....
    2. Set teams_channel input in the workflow to resilient

    Note:
    The teams_channel input name and the webook name must match (The highlighted values in the below images must match)




    ------------------------------
    Calvin Wynne
    ------------------------------



  • 14.  RE: Microsoft Teams for SOAR configuration

    Posted Tue October 25, 2022 07:40 AM
    Hi Calvin,

    Now it works!
    Thank you so much!

    Regards,
    Yuliyan

    ------------------------------
    Yuliyan Dimitrov
    ------------------------------