Jing has been working on a crazy-cool method to use Teams as a conduit between ServiceNow and Azure Sentinel to enable SOC teams to use Teams as the primary tool for quick identification of qualified Incidents. I’ve seen this in action several times and each time I’m left in awe.
I’m just going to share Jing’s video walkthrough here from his TeachJing YouTube channel. As always, Jing does an amazing job teach’jing how he does it all. In addition to working through his solution, Jing offers some Playbook automation concepts that is important for everyone to learn.
The Playbook: Azure-Sentinel/Playbooks/Advanced-SNOW-Teams-Integration at master · Azure/Azure-Sentinel (github.com)
Details:
00:00:15 – Preview of the playbook
00:01:30 – Teams link to ServiceNow where ticket is opened
00:03:25 – Azure Sentinel Github Repository
00:04:30 – Deploying the ARM template
00:05:30 – How to get Teams Group ID and Channel ID to route alerts to
00:07:15 – How to tag playbooks to Investigation playbook list in teams
00:09:18 – How to authorize connections for API Connector
00:12:30 – Running the playbook
00:14:20 – Going through how the playbook is built
00:18:00 – How the I get the playbook to call other playbooks
00:21:46 – How I configure the called logic app to respond data back to the caller logic app.
00:24:00 – How I use a logic app (function) for repeatable use across many playbooks
00:26:30 – How to troubleshoot and look at the input/output of each action
00:32:30 – Whiteboard diagram to help clarify what happened
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
