Interactive Microsoft Sentinel Incident Notifications in Teams via an Azure Logic App Using Adaptive Cards.
Security teams need fast, structured, and contextual alerts. This guide shows how to deliver Sentinel incidents to Teams using Logic Apps.
Introduction.
Many Security Operation Centres (SOCs) rely on rapid, structured, and context-rich alerting mechanisms.
This blog outlines how to build an interactive, dynamic workflow to send Microsoft Sentinel incidents to Microsoft Teams using an Azure Logic App and Adaptive Cards.
This solution enables SOC teams to:
Receive incident alerts in real time within Microsoft Teams.
View key incident metadata in a clean UI.
Take action such as changing severity or closing incidents.
Operate entirely within Microsoft Teams, improving speed and reducing context-switching.
Prerequisites:
To complete this interaction, you’ll need the following:
A Microsoft Sentinel instance (active and connected to a Log Analytic Workspace).
Azure Logic App (Standard or Consumption).
Microsoft Teams with an appropriate channel.
Adaptive Card Designer (adaptivecards.io)
Contributor permissions on the relevant resource group.
Example.
Step 1: Designing the Adaptive Card.
The Adaptive Card is the UI element that appears in Teams. Begin by building your Adaptive Card using the web-based Designer tool. Set the host app to "Microsoft Teams - Dark" to preview how it will render in Teams.
Card content:
Header Text: Large title (e.g. “New Microsoft Sentinel Incident Created!”)
Microsoft Sentinel Logo: Insert into a left-hand column using image URL
https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.pngClickable Incident Link: Markdown
[Click here to view the Incident](incidentURL)FactSet Section: Display the following dynamically retrieved incident properties:
Incident Title
Incident ID
Creation Time (UTC)
Severity (with conditional colours)
Alert Providers (joined with
;)MITRE ATT&CK Tactics (joined with
;)Description
Action section:
Beneath the incident details:
Dropdown: Close Incident
ID:incidentStatus
Choices:Close incident - False Positive →
FalsePositive – IncorrectAlertLogicClose incident - True Positive →
TruePositive – SuspiciousActivityClose incident - Benign Positive →
BenignPositive – SuspiciousButExpectedDon’t close the incident →
no(default)
Dropdown: Change Severity
ID:incidentSeverityChoices:
High
Medium
Low
Informational
Don’t change →
same(default)
Submit Button
Title: “Submit response!”
Copy the card JSON from the “Card Payload Editor” once built.
Step 2: Create the Azure Logic App.
Navigate to Microsoft Sentinel > Automation > Create > Playbook with incident trigger.
Configure:
Name:
Send-Teams-Adaptive-Card-on-incident-creationResource Group:
Your Sentinel resource groupIdentity:
Use a Managed Identity
Proceed to the Logic App Designer.
Step 3: Define Logic App Actions.
3.1: Compose the Adaptive Card:
Add a
Composeaction.Paste your full Adaptive Card JSON (designed earlier).
Replace static placeholders with dynamic content from the Sentinel trigger.
Examples:
"value": "@{triggerBody()?['object']?['properties']?['title']}"
For arrays like Alert Providers:
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '; ')}"
3.2: Post to Teams:
Add an action: Microsoft Teams > Post adaptive card and wait for a response.
Configure:
Post as:
Flow botPost in:
Teams channelMessage:
Outputsfrom ComposeUpdate message:
"Thanks for your response!"
Step 4: Process the Response.
4.1: Update Severity:
Add Condition: if
incidentSeverityis not equal tosameUnder True:
Add Update Incident (Sentinel)
Pass new severity from the card response using:
body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentSeverity']
4.2: Close the Incident:
Add another Condition: if
incidentStatusis not equal tonoUnder True:
Add Update Incident with status
ClosedAdd classification reason based on card input
Enhancements and Best Practices.
Use
attention,warning, andgoodcolours to visually reflect incident severityEmbed Sentinel and company logos in the card for professional branding
Add follow-up cards or messages to Teams confirming actions taken
Consider including user feedback or quick triage options (e.g. "Is this activity expected?")
Conclusion.
This integration brings security events directly into the operational workflow, reducing response time and enabling immediate action within Microsoft Teams. By automating incident delivery and embedding response options into the conversation flow, this method enhances visibility and efficiency in SOC environments.
→ Next Steps:
Add enrichment (e.g. GeoIP, Identity Risk Levels).
Extend with logic for multi-stage approvals.
Publish your Adaptive Card JSON to internal GitHub for standardisation.
Use role-based access to scope which alerts trigger playbooks.
Let incidents come to the team — not the other way around.
