XSOAR Marketplace: Keeping it Simple with Microsoft Teams via Webhook

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter

XSOAR Marketplace: Keeping it Simple with Microsoft Teams via WebhookXSOAR Marketplace: Keeping it Simple with Microsoft Teams via Webhook

 

Is there any way to just make it send a message?

 

This was a question one of my customers posed to me when they couldn’t use the Microsoft Teams integration due to internal restrictions. The Cortex XSOAR integration with Microsoft Teams is fantastic, and includes a lot of useful functionality, but all they wanted and needed was to send a message to a specific team as part of their playbook.

 

That question piqued my curiosity and a quick Google search gave me what I needed. 

 

Microsoft Teams supports messages via incoming webhook, and with Cortex XSOAR Bring Your Own Integration (BYOI) capabilities, it didn’t seem like an insurmountable challenge to write a simple integration that would “just send a message”.

 

MBeauchamp2_0-1676397444603.png

 

While watching a hockey game that night, I figured I’d see if I could make it work. I had the integration written, tested, and sending messages by the end of the game.

 

The integration configuration is simple:

  • Add the incoming webhook as a connector on the Team
  • Configure the XSOAR integration instance with this webhook

No bots to install or permissions to configure, just a simple connector is all you need!

 

Run the ms-teams-message command from a playbook or the XSOAR CLI, and the message is sent, and includes a link back to the Incident from which it came!  I even got carried away and built in the ability to support multiple webhooks to different teams (see the README!)

 

MBeauchamp2_1-1676397444511.png

 

I shared the integration internally, and more and more of us shared it with our customers. Next it was used in Cortex XSIAM as well, and a peer subtly nudged (ok he yelled) me to contribute it to the XSOAR Marketplace.

 

The contribution process was pretty straightforward, I submitted it to the Marketplace straight from the XSOAR UI, completed the form, and the content team got in touch with me.

 

The hardest part was adding in some unit tests to the github pull request that was created after submission (my code always works sometimes!), as this integration was to be part of our officially supported pack! However the content team supported me through this process every step, and I learned a few things about mocking requests along the way!

 

So, why write this and not just watch the hockey game after work? Because why not? 

 

I’ve been automating my job for 20+ years, and thoroughly enjoy it! Cortex XSOAR is a great platform that lets me try new things, and keep my development skills sharp! The integration didn’t exist, and I felt like I had the opportunity to change that, challenge accepted!

 

Want to get started with writing your own automations and integrations? We have a great series on being an XSOAR Engineer on the Palo Alto Live Community, and the XSOAR developer site is a fantastic resource.  And if you write something amazing, why not contribute it? 

 

Plus, it’s always a great feeling watching your code in action when that message comes through into Teams:

 

MBeauchamp2_2-1676397444513.png

 

3 Comments
L4 Transporter

Great solution!!

It's impressive how you avoid using the Teams bot while keeping it simple. However, it seems that it doesn't work in two-way communication. You can't receive and process the customer answers. Does it?

L4 Transporter

After reviewing the documentation on how incoming Webhooks work, I found some security issues.

  1. The url created in the required team group can be seen by group members.
  2. Anyone using the url can send messages to the chat.

This can cause spam, pishing, etc from outsiders who have the link.

I can't find a way to make the URL secret, ask for authentication, limit the users who can access to the URL or filter by IP. 

L0 Member

Is it possible to tag someone on the message body? The typical way of <at>@username</at> or by email does not seem to work.

  • 3771 Views
  • 3 comments
  • 2 Likes
Register or Sign-in
Labels
Top Liked Authors