When using Azure Sentinel as your security information and event manager (SIEM) platform, you do not always wanting to be having to check the incident dashboard for any incidents or have lots of emails clogging up your inbox.

Fortunately you can now configure a Sentinel Playbook which utilises a Logic App to trigger an alert into a Microsoft Teams channel of your choice.

Setup Playbook

Within the Playbooks section of your Azure Sentinel workspace, select Add Playbook

Select the Subscription, Resource Group then enter a logical name for the Logic App and Location

Log Analytics can be left as off unless required then review and create.

Logic App Designer

Once the Logic App has been created go into Logic App designer and the first step should be;

"When a response to an Azure Sentinel alert is triggered"

You will need to enter Azure admin level credentials which has Sentinel access

Click + New Step

Search for "Teams" then for the actions select "Post a message as the Flow bot to a channel (preview)"

This will prompt for credentials in which you will need to use an account that has access to the required Team/Channel

Once authenticated (This is likely to be a non-admin account), select the Team/Channel that you want to post the Sentinel incidents to.

Depending on your requirements you may want to setup a dedicated channel for Sentinel alerts

On the "Add new parameter dropdown", tick the Message box then click the dropdown again and dynamic content options should appear, these can now be added to your message as per your requirements, I would recommend adding them all initiatly on separate lines initially to work out what is useful to your organisation then fine tune the message when you have a clearer picture.

The end goal of this is to have something looking like the following;

Click save then back within your playbooks screen ensure it is enabled

Testing

To test to ensure this is working you can trigger the alert from within the Logic App but this will only post a blank message as all of the entities are missing. It is best to setup/trigger a real world alert against one of your Active rules specified in the Analytics section, an easy one to test against would be the RDP Nesting rule or if your Sentinel is linked to Active Directory and you have the rule enabled, create and delete an account within 10 minutes (You may need to allow time for the alert to come through to Sentinel but once it is a Sentinel incident it should instantly trigger a Teams notification).