Microsoft Teams Notifications

About Incoming Webhooks

Incoming Webhooks are a type of Connector in Teams that provide a simple way for an external app to share content in team channels. They are often used as tracking and notification tools. Microsoft Teams provides a unique URL to which you can send a JSON payload with the message that you want to POST, typically in a card format. Cards are UI containers that contain content and actions related to a single topic and are a way to present message data in a consistent way.

You will need to enter the URL that you copied from the Connector. Sysdig will format a message by using a custom card template and send it to the channel. The message will show up as a new notification in the Microsoft application.

Prerequisites

• Have the destination URL handy. You can copy it from the Connectors > Incoming Webhook window on the Microsoft Teams UI. For more information, see Add an incoming Webhook to a Teams channel.

  

Note: Webhooks via HTTPS work only when a signed or valid certificate is in use.

Support

Microsoft Team notification channels are supported for the following use cases in Sysdig Monitor:

• Alerts

Microsoft Team notification channels are supported for the following use cases in Sysdig Secure:

• Runtime Policies: Standard and shortened messages.
• Risks
• Threats
• Vulnerabilities
• Accepted Risk: Vulnerabilities

Enable Microsoft Teams

1. Complete steps 1-3 in Set Up a Notification Channel and choose Microsoft Teams.

2. Enter the configuration options:

   • URL: The destination URL you have copied from Microsoft Teams UI.

   • Channel Name: Add a meaningful name for your channel.

   • Enabled: Toggle on or off.

   • Notification options: Toggle for notifications when alerts are resolved or acknowledged.

   • Test notification: Toggle to be notified that the configured URL is working.

   • Shared With: Choose whether this channel can be used by All Teams or the Current Team you are logged in as.

3. Click Save.

Choose Message Format (Secure Only)

The “Configure Channel Sections” option applies only to notifications sent from Sysdig Secure events governed by Threat Detection policies. Here you can choose whether the message should be:

• Shortened: (Default) Includes a summary of the event giving the rule, policy name, and contextual information about where the event took place. When available, a Runbook Link and Action Taken are displayed.
• Detailed: Includes full event details, as shown.

Migrate from Office 365 Connectors to Power Automate

Microsoft has announced the deprecation of Office 365 Connectors, which are used for sending notifications to Microsoft Teams. According to their notice, new notification channels using the Office 365 Connector cannot be created after August 15th, 2024, and existing connectors will require a URL update to function after December 31st, 2024.

You can find more details in the official Microsoft retirement notice.

Create an Automate Workflow to Replace Office 365 Connector

Power Automate is an automation platform that replaces Office 365 Connectors. To transition from Office 365 connectors, you must create a Power Automate Workflow endpoint. This new endpoint will replace the current Office 365 Connectors endpoints that forwards to Microsoft Teams.