SNOW -Teams

This is snow and teams integration

Rsource Visualiser

Logic App Flows

Components Settings

MS Sentinel
adaptiveCardItems
Extract entities and add to adaptive card -4 actions
SNOW- Query for sentinel Incident Number

Check to see if SNOW Incident Exists - 2 cases

Function

length(body('ServiceNow_-_Query_for_Sentinel_Incident_Number')?['result'])

Compose Teams Incident Alert Card

// Some code
{
  "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
  "actions": [
    {
      "title": "Open Incident in Sentinel",
      "type": "Action.OpenUrl",
      "url": "@{triggerBody()?['object']?['properties']?['incidentUrl']}"
    },
    {
      "style": "destructive",
      "title": "Open Service Now Incident",
      "type": "Action.OpenUrl",
      "url": "https://ven03842.service-now.com/nav_to.do?uri=/incident_list.do?sysparm_query=active=true"
    }
  ],
  "body": [
    {
      "color": "accent",
      "size": "large",
      "text": "Microsoft Sentinel Alert - @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']} ",
      "type": "TextBlock",
      "wrap": true
    },
    {
      "items": @{variables('adaptiveCardItems')},
      "spacing": "padding",
      "style": "default",
      "type": "Container"
    }
  ],
  "msTeams": {
    "width": "full"
  },
  "type": "AdaptiveCard",
  "version": "1.2"
}

Post Incident in SOC Alerts Channel
Post Actions Required in Investigation Request channel

// Message
{
    "msTeams": {
        "width": "full"
    },
    "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
    "type": "AdaptiveCard",
    "version": "1.2",
    "body": [
					{
						"type": "TextBlock",
						"size": "large",
						"color": "accent",
						"text": "**Microsoft Sentinel Alert - **@{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}",
						"wrap": true
					},
        {
            "type": "TextBlock",
            "text": "Please Select the playbooks to run for the incident:",
            "weight": "Bolder"
        },
        {
            "type": "TextBlock",
            "text": "Available tagged Logic App playbooks",
            "wrap": true,
            "weight": "Bolder",
            "color": "Accent"
        },
        {
            "type": "Input.ChoiceSet",
            "choices": @{body('LogicApp_-_Get_tagged_playbooks')},
            "placeholder": "IP Playbooks",
            "isMultiSelect": true,
            "style": "expanded",
            "id": "playbooks"
        }
    ],
    "actions": [
        {
            "type": "Action.Submit",
            "title": "Submit"
        }
    ]
}

Update incident thread from investigation Response
SNOW update Record with response from user
Grab Selected playbooks from investigation response

// value
split(body('Post_Actions_Required_in_Investigation_Requests_Channel')?['data']?['playbooks'],',')

Loop though each playbook and run it -5 actions

Loop through :-

find playbook based on playbook name provided

From 
array(body('LogicApp_-_Get_tagged_playbooks'))

URI

body('Find_playbook_based_on_playbook_name_provided')[0]?['callbackUrl']

Teams Reply Text
SNOW add additional comments in SNOW ticket

MS Sentinel Add comment to releated Incident

Section : 5 Check If SNOW Incident Exist

True:

value:

body('ServiceNow_-_Query_for_Sentinel_Incident_Number')?['result'][0]?['sys_id']

False :

Section 3: Extract Entities and add to adaptive card

From

array(triggerBody()?['object']?['properties']?['relatedEntities'])

length(body('Filter_list_by_each_type_name'))

SNOW Team -IPCheckon VT

from

array(triggerBody()?['object']?['properties']?['relatedEntities'])

PreviousUse Cases NextKPI

Last updated 19 days ago