Setting up a Workflow in Microsoft Teams
Follow these steps to set up a workflow in Microsoft Teams, via the Power Automate web GUI, to receive and incoming Webhook in a Teams channel as a card.
You may receive the Webhook through other implementations. The Platform allows outgoing Webhooks to *api.powerplatform.com* domains.
This guide for Workflows uses Incidents as the publication entity example. Adjust your Workflow setup for Vulnerabilities and Threat Events as required.
Access, or install, the Workflows App in Teams
-
Open Microsoft Teams and navigate to the left pane.
-
Select Apps at the bottom, then choose Workflows.
You may need to install the Workflows app. If it’s not available to be added, contact your IT admin.
The Workflows app provides a management interface to manage Webhooks but optionally you can also add Workflows directly to a channel. You can read more at Create incoming webhooks with Workflows for Microsoft Teams - Microsoft Support.
Creating a new flow
-
We recommend defining your incoming Webhook in Power Automate. In the Workflows app, find and select Go to website under … , or navigate directly to https://make.powerautomate.com
-
In Power Automate, select + Create and start from an Instant cloud flow.
-
Name your flow for example Truesec SOC Incidents and scroll down to select When a Teams webhook request is received as your trigger.
-
Make sure to change Who Can Trigger The Flow? to Anyone.
It is possible to use specific permissions but it will require more advanced authentication methods than a secret HTTP URL
-
Create a new step in the Workflow, by selecting + to Add an action.
Search for the action Post card in a chat or channel and select your target Team and Channel in the dropdowns.
-
In the Adaptive Card field, paste the below recommended json in its entirety. This specifies a Truesec default adaptive card design and ensures the Incidents are presented in Teams with full details, and with the default actions for incident management. You may change the card json as required.
{ "type": "AdaptiveCard", "body": [ { "type": "TextBlock", "size": "Medium", "weight": "Bolder", "text": "New Incident", "wrap": true }, { "type": "ColumnSet", "columns": [ { "type": "Column", "width": "auto", "items": [ { "type": "Image", "url": "https://tsprodemailassets.azureedge.net/truesec-logo-webhook.jpeg", "altText": "Truesec SOC", "size": "Small" } ] }, { "type": "Column", "items": [ { "type": "TextBlock", "weight": "Bolder", "text": "Truesec SOC", "wrap": true }, { "type": "TextBlock", "spacing": "None", "text": "@{triggerBody()?['publishedDateTime']} (UTC)", "isSubtle": true, "wrap": true } ], "width": "stretch" } ] }, { "type": "TextBlock", "text": "Workspace", "weight": "Bolder", "wrap": true, "spacing": "Large", "separator": true }, { "type": "TextBlock", "text": "@{triggerBody()?['workspaceName']}", "wrap": true, "spacing": "None" }, { "type": "TextBlock", "text": "ID", "weight": "Bolder", "wrap": true, "spacing": "Small" }, { "type": "TextBlock", "text": "@{triggerBody()?['id']}", "wrap": true, "spacing": "None" }, { "type": "TextBlock", "text": "Subject", "weight": "Bolder", "wrap": true, "spacing": "Small" }, { "type": "TextBlock", "text": "@{replace(replace(triggerBody()?['subject'], '\', '/'), '"', '\"')}", "wrap": true, "spacing": "None" }, { "type": "TextBlock", "text": "Severity", "weight": "Bolder", "wrap": true, "spacing": "Small" }, { "type": "TextBlock", "text": "@{triggerBody()?['severity']}", "wrap": true, "spacing": "None" }, { "type": "TextBlock", "text": "Configuration Items", "weight": "Bolder", "wrap": true, "spacing": "Small" }, { "type": "TextBlock", "text": "@{replace(replace(triggerBody()?['alertConfigurationItems'], '\', '/'), '"', '\"')}", "wrap": true, "spacing": "None" }, { "type": "TextBlock", "text": "Summary", "weight": "Bolder", "wrap": true, "separator": true, "spacing": "ExtraLarge" }, { "type": "RichTextBlock", "spacing": "None", "inlines": [ { "type": "TextRun", "text": "@{replace(replace(triggerBody()?['summary'], '\', '/'), '"', '\"')}" } ] }, { "type": "TextBlock", "text": "Technical Details", "weight": "Bolder", "wrap": true }, { "type": "RichTextBlock", "spacing": "None", "inlines": [ { "type": "TextRun", "text": "@{replace(replace(triggerBody()?['technicalDetails'], '\', '/'), '"', '\"')}" } ] }, { "type": "TextBlock", "text": "Recommended Action", "weight": "Bolder", "wrap": true }, { "type": "RichTextBlock", "spacing": "None", "inlines": [ { "type": "TextRun", "text": "@{replace(replace(triggerBody()?['recommendedAction'], '\', '/'), '"', '\"')}" } ] }, { "type": "TextBlock", "text": "Alert source", "weight": "Bolder", "wrap": true, "spacing": "ExtraLarge", "separator": true, "size": "Small" }, { "type": "TextBlock", "text": "@{triggerBody()?['sourceUrls']}", "wrap": true, "spacing": "None", "size": "Small" }, { "type": "TextBlock", "text": "The incident needs to be resolved in the Truesec Portal with closure note to ensure full alignment with Truesec SOC. If you have any questions or need help with this incident, contact the SOC or your Technical Account Manager. Call the SOC at +46 (0) 8 10 00 77.", "wrap": true, "spacing": "ExtraLarge", "size": "Small", "separator": true } ], "msteams": { "width": "full" }, "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", "version": "1.3", "actions": [ { "type": "Action.OpenUrl", "title": "Go to Truesec Portal", "url": "@{triggerBody()?['url']}", "style": "positive" }, { "type": "Action.OpenUrl", "title": "E-mail Truesec SOC", "url": "mailto:support@truesec.com?subject=@{triggerBody()?['id']}" } ] }
-
Save the flow.
Once you have saved the flow, collect the HTTP URL from your trigger event. Select the event When a Teams webhook request is received and find your HTTP URL. You’ll need this to activate the outgoing Webhook in the Truesec Platform, and to test your flow.
You will find your flow saved in Power Automate, or in the Teams Workflows app overview.
Next step is to configure your outgoing webhook