AzureTracks.com - Using Microsoft Teams to coordinate Sentinel incidents - Pictured is a man and woman working together on racks in a datacenter.
Andrew Posted on 6:45 am

Post High Severity Incidents in Sentinel to a Teams Channel

Today we explore incident communication using Teams.  One of the great things about Microsoft Sentinel is the ability to integrate with Microsoft Teams, allowing for seamless collaboration and communication during high-severity incident responses.  We will take a look at getting Teams working using a step-by-step guide to post summary information from incidents directly to a Teams channel, alerting our SOC team quickly.

There are a common set of challenges that unite SIEM users and SOC Analysts when it comes to notifications:

  • There are too many emails and notifications that all claim to be important.
  • Action items are often unclear in urgent notifications, requiring investigation that may overlap between team members.
  • Differences between a notification and a critical notification are hard to spot easily at 3am when you work all day!
  • Alert fatigue and burnout are very real, and we have some options available in the Microsoft ecosystem to help us with this if we design our notifications thoughtfully!

Step 1: Verify Permissions

Before you begin, ensure that you have the necessary permissions within Microsoft Sentinel and Microsoft Teams.  You’ll need ‘Incident write’ permissions in Microsoft Sentinel and the ability to create teams in Microsoft Teams.

Step 2: Create a New Team or Use an Existing One

Decide whether you will be posting to an existing Teams channel or if you need to create a new one specifically for Sentinel incidents.  If creating a new team, give it a descriptive name and add relevant members who will be involved in incident response.

I prefer a channel or team dedicated to each serious incident so that I can archive it.  Using MS Teams in this way allows for good hygiene and cleanup.  It also means that if you have to deal with an external auditor, that you can export that team or channel with less complexity.

Step 3: Configure Microsoft Sentinel Integration

In Microsoft Sentinel:

  • Navigate to the ‘Threat management > Incidents’ section.
  • Select the incident you wish to post about and choose ‘Actions > Create team (Preview)’.
    • This will open a pane where you can define the settings for your incident team.
    • Configure the required settings and authentication then save when ready.

Step 3A: Involve the team

At your next SOC team stand-up meeting, get the conversation started about creating a new channel in the incident MS Teams site for major incidents within Sentinel.  It also makes documentation a lot nicer as if you add all the supporting files and conversation within that channel; you can archive that channel when the incident is resolved and keep MS Teams clean for daily use.

Step 4: Set Up a Logic App (Optional)

For more customization, such as formatting the JSON body for the Teams post, consider using a Logic App with an HTTP POST function and a Teams channel Webhook URL.

This allows for greater control over the content and presentation of the incident details in Teams.

Step 5: Test the Integration

After setting up the integration, it’s important to test it to ensure that incidents are being posted correctly to the Teams channel.

Create a test incident in Sentinel and verify that it appears in the designated Teams channel with all the necessary details.  Remember to notify your team members and anyone on-call that you will be testing.

Step 6: Document and Train Your Team

Document the process for future reference and train your team on how to use the Microsoft Sentinel and Teams integration effectively.  Ensure everyone understands their roles and responsibilities during an incident response.  Incident response planning is outside the scope of this post, but a key piece of any successful SOC.

Common Mis-steps with SOC Team Communications

Whether you’re a student, a professional, or simply someone looking to improve your decision-making skills, being aware of common mis-steps can significantly enhance your ability to succeed.  These areas are identified here in an effort to include some additional opportunities for us all to improve as we prepare to tackle another new calendar year.  Some topics are a bit broader than performance as a SOC Analyst, but I love opportunities to both improve myself, and to help lead my team with some perspective.

Here are some of the most prevalent challenges to watch out for:

  • Indecisiveness – this can lead to decision paralysis and often this team member may need some encouragement and confidence to take some risks.
  • Planning – missed planning steps can derail the best projects and initiatives.  Building a roadmap, even if it’s a short drive, can really go a long way to helping the whole team understand where the bus is going.
  • Ineffective Communication – clear and concise communication is key to ensuring that everyone is on the same page.  Miscommunication can lead to errors and misunderstandings.  In a SOC team this can be serious.  It’s a wonderful thing when a SOC team not only gets along, but is truly ‘in sync’ with each other and how we all work together.
  • Change Resistance – change is happening all around us and it takes time to adapt.  When we resist change and adaptation, we really are only holding ourselves back.  The team will evolve.  This is inevitable whether we support that change, or not.  The pace of change in modern IT is truly rapid; being aware that we need time to adapt is alright…just don’t get stuck!

Summary

By following these steps, you can leverage the collaborative environment of Microsoft Teams to enhance your SOC’s incident response capabilities with Microsoft Sentinel.  Remember, the integration is currently in preview, so stay updated on any changes or updates from Microsoft.

Using a collaboration tool like Microsoft Teams to help manage serious incidents can help improve response time (MTTR), resolution planning and mitigation, and help the team to avoid common challenges in the incident response.  Good luck and keep your head in the clouds!