# Interactive Microsoft Sentinel Incident Notifications in Teams via an Azure Logic App Using Adaptive Cards.

# Introduction.

Many Security Operation Centres (SOCs) rely on rapid, structured, and context-rich alerting mechanisms.

This blog outlines how to build an interactive, dynamic workflow to send Microsoft Sentinel incidents to Microsoft Teams using an Azure Logic App and Adaptive Cards.

This solution enables SOC teams to:

* Receive incident alerts in real time within Microsoft Teams.
    
* View key incident metadata in a clean UI.
    
* Take action such as changing severity or closing incidents.
    
* Operate entirely within Microsoft Teams, improving speed and reducing context-switching.
    

---

# Prerequisites:

To complete this interaction, you’ll need the following:

* A Microsoft Sentinel instance (active and connected to a Log Analytic Workspace).
    
* Azure Logic App (Standard or Consumption).
    
* Microsoft Teams with an appropriate channel.
    
* Adaptive Card Designer ([adaptivecards.io](https://adaptivecards.io/))
    
* Contributor permissions on the relevant resource group.
    

---

# Example.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1750332821006/110f5673-086f-4b17-91d9-92a4c35cc3b2.png align="center")

---

# Step 1: Designing the Adaptive Card.

The Adaptive Card is the UI element that appears in Teams. Begin by building your Adaptive Card using the web-based Designer tool. Set the host app to "Microsoft Teams - Dark" to preview how it will render in Teams.

### Card content:

1. Header Text: Large title (e.g. “New Microsoft Sentinel Incident Created!”)
    
2. Microsoft Sentinel Logo: Insert into a left-hand column using image URL  
    [`https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png`](https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png)
    
3. Clickable Incident Link: Markdown `[Click here to view the Incident](incidentURL)`
    
4. FactSet Section: Display the following dynamically retrieved incident properties:
    
    1. Incident Title
        
    2. Incident ID
        
    3. Creation Time (UTC)
        
    4. Severity (with conditional colours)
        
    5. Alert Providers (joined with `;` )
        
    6. MITRE ATT&CK Tactics (joined with `;` )
        
    7. Description
        

### Action section:

Beneath the incident details:

1. Dropdown: Close Incident  
    ID: `incidentStatus`  
    Choices:
    
    Close incident - False Positive → `FalsePositive – IncorrectAlertLogic`
    
    * Close incident - True Positive → `TruePositive – SuspiciousActivity`
        
    * Close incident - Benign Positive → `BenignPositive – SuspiciousButExpected`
        
    * Don’t close the incident → `no` (default)
        
2. Dropdown: Change Severity  
    ID: `incidentSeverity`
    
    Choices:
    
    * High
        
    * Medium
        
    * Low
        
    * Informational
        
    * Don’t change → `same` (default)
        
3. Submit Button  
    Title: “Submit response!”
    

<mark>Copy the card JSON from the “Card Payload Editor” once built.</mark>

---

# Step 2: Create the Azure Logic App.

1. Navigate to **Microsoft Sentinel &gt; Automation &gt; Create &gt; Playbook with incident trigger**.
    
2. Configure:
    
    * Name: `Send-Teams-Adaptive-Card-on-incident-creation`
        
    * Resource Group: `Your Sentinel resource group`
        
    * Identity: `Use a Managed Identity`
        
3. Proceed to the Logic App Designer.
    

---

# Step 3: Define Logic App Actions.

### 3.1: Compose the Adaptive Card:

1. Add a `Compose` action.
    
2. Paste your full Adaptive Card JSON (designed earlier).
    
3. Replace static placeholders with **dynamic content** from the Sentinel trigger.
    

**Examples:**

```plaintext
"value": "@{triggerBody()?['object']?['properties']?['title']}"
```

For arrays like Alert Providers:

```plaintext
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '; ')}"
```

### 3.2: Post to Teams:

* Add an action: **Microsoft Teams &gt; Post adaptive card and wait for a response**.
    
* Configure:
    
    * **Post as**: `Flow bot`
        
    * **Post in**: `Teams channel`
        
    * **Message**: `Outputs` *from Compose*
        
    * **Update message**: `"Thanks for your response!"`
        

---

# Step 4: Process the Response.

### 4.1: Update Severity:

* Add **Condition**: if `incidentSeverity` is not equal to `same`
    
* Under **True**:
    
    * Add **Update Incident** (Sentinel)
        
    * Pass new severity from the card response using:
        
        ```plaintext
        body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentSeverity']
        ```
        

### 4.2: Close the Incident:

* Add another **Condition**: if `incidentStatus` is not equal to `no`
    
* Under **True**:
    
    * Add **Update Incident** with status `Closed`
        
    * Add classification reason based on card input
        

---

# Enhancements and Best Practices.

* Use `attention`, `warning`, and `good` colours to visually reflect incident severity
    
* Embed Sentinel and company logos in the card for professional branding
    
* Add follow-up cards or messages to Teams confirming actions taken
    
* Consider including user feedback or quick triage options (e.g. "Is this activity expected?")
    

---

# Conclusion.

This integration brings security events directly into the operational workflow, reducing response time and enabling immediate action within Microsoft Teams. By automating incident delivery and embedding response options into the conversation flow, this method enhances visibility and efficiency in SOC environments.

---

# → Next Steps:

* Add enrichment (e.g. GeoIP, Identity Risk Levels).
    
* Extend with logic for multi-stage approvals.
    
* Publish your Adaptive Card JSON to internal GitHub for standardisation.
    
* Use role-based access to scope which alerts trigger playbooks.
    

Let incidents come to the team — not the other way around.
