Delivering Sentinel Alerts in Teams

A simple and very functional feature of Sentinel in the integration with playbooks is delivery as a chat message in Teams.

The example below demonstrates how alerts are delivered to Teams with the details of the alert that was triggered.

Creating Logic Apps and Automation Rule

When Sentinel connectors are installed, a Logic Apps is automatically created for automation, without having tasks configured except for the first one, which is the incident trigger.

This will be the playbook that all enabled alerts are configured as the default response form.

When editing the playbook, enter the For each object that is the loop to enable multiple incidents to be triggered and not just the first one. This can happen in environments where a situation has created more than one incident and the lack of this loop would not trigger for all of the incidents.

Note that the For each loop reads the incident data and sends it to the email with the properties below for title, recipient and sent text.

In the case below, I deleted the default object that was email and replaced it with the Post message in a chat or channel object, which allows sending the message to both a single user and a Teams group or channel:

The next step is to create the trigger rule for the notification playbook in Sentinel.

See that the name is similar to my choice but you can use any other name, which will make it easier when relating the alerts to the automation call.

Enabling Analytical Rules for Submission in Teams

Go into Sentinel Analytics options , enable the rules you want to be alerted to and edit them.

In the rule options, you can edit the automation autoresponder that we created in the previous step so that the playbook is executed.

By editing the rules you can create new automation responses without having to create them first in Automation as I did before, although I think this can generate multiple orphan objects later.

But if you want to create a new response, you can click on the Add new button and name the automation and indicate which of the playbooks will be executed:

Okay, now you will receive incident details directly through the Teams channel or chat!