Solved: Trigger Activation from Teams Channel/Group Chat i...

bein · 10-22-2024 03:23 PM

Hello everyone,

Would it be possible to configure a trigger that is activated directly from within a Microsoft Teams channel or group chat? Additionally, is there a way to view the information that is being passed to the trigger when it's activated from this source?

Any insights or advice on how to set this up or if this functionality exists would be greatly appreciated!

Example would be posting a URL in a chat then the playbook takes that URL and does the playbook process etc.

Thank you in advance for your help.

f3rz

@bein this requires a playbook to be executed, and since a playbook can be attached only to the specific case/alert you need a way to generate it.

In theory, it should be possible to achieve with custom development or feature requests to have a Teams Chat Connector that will ingest messages from specific channels as alerts and then send to those specific alerts you may attach a playbook that will do all required enrichment and as the last step prior to closure will send message reply.

View solution in original post

f3rz

@bein if I understand correctly the idea is the next:

1. You sending a message to a channel in MS Teams
2. You waiting to the reply of the message (text with URL)
3. Playbook takes this URL and uses it for further processing

Overall, it should be possible to achieve with:

1. Send Message action
2. Wait for Reply action which will return reply text as a part of JSON result:

bein

I was more so thinking as step one wouldn't exist and google chronicle would be able to see when a new URL message comes in and reacts based on the message basically triggering a playbook to run with the info sent in Teams. Taking a look at your steps I would still need to have a trigger happen from an event to kick this off? The logic that I was hoping would be possible is: SOC analyst sends a URL to a teams channel this instantly triggers the playbook to take the URL sent and do some enrichment(IPABUSEDB, VT) and if its considered unsafe add to our EDL list. The feature is similar to how DISCORD bot API works where you can have your program wait and only start once a message is sent. I am thinking maybe a custom program could solve this. If you have any other ideas please let me know!

Thank you

f3rz

@bein this requires a playbook to be executed, and since a playbook can be attached only to the specific case/alert you need a way to generate it.

In theory, it should be possible to achieve with custom development or feature requests to have a Teams Chat Connector that will ingest messages from specific channels as alerts and then send to those specific alerts you may attach a playbook that will do all required enrichment and as the last step prior to closure will send message reply.

bein

Yeah that's the same conclusion I came to aswell. Its definitely doable with the Teams API & SOAR API. That's the route I am likely to take. The SOAR API is lacking a little functionality id like but it'll get the job down. if a suggestion is possible a POST request to an endpoint with custom parameters that starts a pb would be cool .Thanks for the help f3rz

Trigger Activation from Teams Channel/Group Chat in SOAR