I have a use case for automation. This particular automation is as simple as sending a text message and getting a reply. Here, through this automation I want to automate a security investigation. I fetch the details of the teams user with the help of Detection rule and I want to send a text message to him asking, “whether he/she has accessed a particular account or not?” and I need to get the reply from them in the teams chat itself and that should be fetched by my automation workflow and should close the investigation if gets the answer as “YES”.
What is the process to do that? I am stuck at the stage where I have confusions regarding sending and receiving messages. Please help me with that one.
I like the idea and although I haven’t done that yet, I would probably start by first looking at how this Rapid7 Workflow is setup to Send IDR Alerts to Microsoft Teams .
Import it into your environment and have a look at the steps to see what you can re-use vs what you have to add / build new.
The workflow is setup to trigger off of new investigations and send the alert to a specific teams channel, however I could it being modified to remove the generic Teams channel integration and implement a more personalized interaction. You would have add filter logic to look for specific alert detection use cases and based on the user that triggered the alert, you can “Create a Team Chat”
The output of this action provides a variable called chatId. That would be passed into the send message step. You cannot do this with the send HTML message step. In my screenshot I hard coded the id instead of passing from the Create Teams Chat step. For testing purposes I didn’t want to create a bunch of group chats.
Next you will do a loop step. This is a scenario where we are not looping over an array, rather we are using the “Loop Until” feature so that we can create a time delay as we wait for the user to respond.
I am repeating the loop 5 times with a delay of 5 seconds in between each loop.
Inside of the loop we will choose the Microsoft Teams Action “List Message from a Chat”. The input for this step is also that same ChatId variable we have been using.
Thanks man. I didn’t know we need to create a teams chat initially. I thought just send message and retrieve the message in another step using teams plugin. Thanks for this input. Would let you know the progress brother!!! Once again Thanks a lot buddy!!
Actually I could extract email id from detection rule but, I can’t get to know what is their role. And one more thing is, can’t I just send message in normal format(instead of HTML) and use the message id of that along with chat id in next step with teams plugin using “get message in chat” option? Please help me out with this. And thank a lot for your reply to earlier doubt
