When using Azure Sentinel as your security information and event manager (SIEM) platform, you do not always wanting to be having to check the incident dashboard for any incidents or have lots of emails clogging up your inbox.
Fortunately you can now configure a Sentinel Playbook which utilises a Logic App to trigger an alert into a Microsoft Teams channel of your choice.
Within the Playbooks section of your Azure Sentinel workspace, select Add Playbook
Select the Subscription, Resource Group then enter a logical name for the Logic App and Location
Log Analytics can be left as off unless required then review and create.
Logic App Designer
Once the Logic App has been created go into Logic App designer and the first step should be;
"When a response to an Azure Sentinel alert is triggered"
You will need to enter Azure admin level credentials which has Sentinel access
Click + New Step
Search for "Teams" then for the actions select "Post a message as the Flow bot to a channel (preview)"
This will prompt for credentials in which you will need to use an account that has access to the required Team/Channel
Once authenticated (This is likely to be a non-admin account), select the Team/Channel that you want to post the Sentinel incidents to.
Depending on your requirements you may want to setup a dedicated channel for Sentinel alerts
On the "Add new parameter dropdown", tick the Message box then click the dropdown again and dynamic content options should appear, these can now be added to your message as per your requirements, I would recommend adding them all initiatly on separate lines initially to work out what is useful to your organisation then fine tune the message when you have a clearer picture.
The end goal of this is to have something looking like the following;
Click save then back within your playbooks screen ensure it is enabled
To test to ensure this is working you can trigger the alert from within the Logic App but this will only post a blank message as all of the entities are missing. It is best to setup/trigger a real world alert against one of your Active rules specified in the Analytics section, an easy one to test against would be the RDP Nesting rule or if your Sentinel is linked to Active Directory and you have the rule enabled, create and delete an account within 10 minutes (You may need to allow time for the alert to come through to Sentinel but once it is a Sentinel incident it should instantly trigger a Teams notification).