Updated on January 15, 2025

Microsoft Teams Plugin for Ticket Orchestrator

Microsoft Teams Plugin for Ticket Orchestrator

This document explains how to configure your Microsoft Teams v1.1.0 plugin with the Ticket Orchestrator module of the Netskope Cloud Exchange platform. This plugin supports creating notifications and sending it to Microsoft Teams for Netskope alerts.

Prerequisites

To complete this configuration, you need:

Workflow

  1. Create a Workflow in the required Microsoft Teams channel.
  2. Configure the Microsoft Teams plugin.
  3. Configure a Ticket Orchestrator Business Rule for Microsoft Teams.
  4. Configure a Ticket Orchestrator Queue for Microsoft Teams.
  5. Validate the Microsoft Teams Plugin.
CE Version Compatibility

Netskope CE v4.2.0 and v5.0.1

Microsoft Teams Plugin Support

This plugin supports creating notifications and sending it to Microsoft Teams for Netskope alerts.

Supported Alert types for notifications Anomaly, Compromised Credentials, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, UBA, CTEP
Supported Alerts types from Cloud Exchange plugin Information, Warning, Error
Mappings
Queue Mapping
Default mapped field for custom message Alert ID: “$id”App: “$app”Alert Name: “$alertName”Alert Type: “$alertType”

App Category: “$appCategory”

User: “$user”
Permissions

Permission to send data to Workflow URL.

API Details

The plugin utilizes the Workflow URL to execute data transmission via a POST request directed at the provided URL.

List of APIs Used
API Endpoint Method Use case
Workflow URL Post Sending Post request to Provided Workflow URL
Create Ticket

API Endpoint: <URL of your Workflow>

For example:

https://prod-xx.centralindia.logic.azure.com:443/workflows/xyz/triggers/manual/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=abcid

Method: POST
Parameters: None
Body

{
    "type": "message",
    "attachments": [
        {
            "contentType": "application/vnd.microsoft.card.adaptive",
            "contentUrl": null,
            "content": {
                "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
                "type": "AdaptiveCard",
                "version": "1.4",
                "body": [
                    {
                        "type": "TextBlock",
                        "text": "Message from Netskope CE CTO Microsoft Teams plugin",
                        "wrap": true,
                        "style": "heading",
                        "size": "medium",
                        "weight": "bolder",
                        "isSubtle": true
                    },
                    {
                        "type": "TextBlock",
                        "text": "Alert ID: 812\nApp: abc\nAlert Name: nndji\nAlert Type: DLP\nApp Category: qwerty\nUser: abc@gmail.com",
                        "wrap": true
                    }
                ]
            }
        }
    ]
}

Sample API Response

202 Accepted
Performance Matrix

These readings are collected on a Large CE Stack with these specifications by running the plugin for a few hours in order to receive a message notification in Microsoft Teams channel.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Notification/Message received in Microsoft Teams channel 5 Notifications per minute

Note that the performance readings were taken by running the plugin for a duration of 1 hour. During this time, the plugin is configured to send alerts at a rate of 25 events every 5 minutes.

User Agent

netskope-ce-5.0.1-cto-microsoft-teams-v1.1.0

Click play to watch a video.

 

Get your Workflow URL in the Microsoft Teams Channel

  1. Log in to Microsoft Teams and create a Team.
  2. Create a Channel where you want to receive Notifications.
  3. Select channel menu and click Workflow.
  4. Select Post to a channel when a webhook request is received.
  5. Enter a name for the workflow.
  6. Select a Team and Channel, and then click Add Workflow.
  7. Copy Workflow URL.

Another option is to follow these instructions: https://support.microsoft.com/en-us/office/post-a-workflow-when-a-webhook-request-is-received-in-microsoft-teams-8ae491c7-0394-4861-ba59-055e33f75498.

Configure the Microsoft Teams Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the Microsoft Teams v1.1.0 (CTE) plugin box.
  2. Enter a Configuration Name and change the Sync Interval as per your requirement.
  3. Click Next. Enter your Workflow URL to send notification messages to your Microsoft Teams channel.
  4. Click Save.

Add a Ticket Orchestrator Business Rule for Microsoft Teams

Create a business rule based on the filters you need to generate tickets in the Microsoft Teams plugin

  1. In Ticket Orchestrator, go to Business Rules.
  2. Click Create New Rule.
  3. Enter a Rule Name, and build the appropriate filter query condition on the field(s) for the business rule. You can also type the query manually by pressing the Filter Query button.
  4. When finished, click Save.
  5. To test the newly created business rule, click the Sync icon and enter the Time period (in days), and then click Fetch button. This shows the number of alerts that are eligible for incident/ticket creation.

Add a Ticket Orchestrator Queue for Microsoft Teams

  1. In Ticket Orchestrator, go to Queues.
  2. Click Add Queue Configuration, and then select your Business Rule, your plugin Configuration, and queue from the dropdown.
  3. Click Save and Sync the queue if you already have the alerts pulled.

Validate the Microsoft Teams Plugin

Validate on Netskope CE

  1. In order to validate the workflow, you must have Netskope Alerts. Go to Alerts to validate the presence of Alerts.
  2. Verify Ticket creation from the Logging page.
  3. To view the list of tickets created on Microsoft Teams, go to Tickets in Ticket Orchestrator.

Validate on Microsoft Teams

To validate the ticket creation in Microsoft Teams, go to Teams > Channel for which the workflow was created. Validate a Alert Notification message was received.

Troubleshooting the Microsoft Teams Plugin

Unable to create notification using plugin
  • No alerts are available in CE or no new alerts are pulled.
  • Business Rule has no alerts filtered.

What to do: Determine the root cause from above and select the best resolution.
No alerts are available in CE or no new alerts are pulled
Check if the alerts are available in the Alerts page, if no alerts are available the ticket won’t be created. Configure Tenant or other required configuration to create alerts in CTO.
Business Rule has no alerts filtered
Check the business rule and test it to confirm if it has any alerts filtered, if no alerts are available in the filtering, update the business rule.

Unable to receive the expected messages in your Microsoft Teams channel:
  • Workflow is failing due to throttling limit
  • Rate-Limit is reached for workflow

What to do : Determine the root cause and follow these steps to troubleshoot the issue:

Check Run History in Microsoft Teams Workflow

    1. Go to the Workflow in Microsoft Teams.
    2. Locate and click on the workflow you created for sending alerts.
    3. Scroll down to the Run History section.

Review the Run History

    1. Check the status of each run in history.
    2. If any requests have failed, click on the failed request to view more details
    3. Click Resubmit.



Rate-Limit Reached

Description: If you encounter a rate-limit error, this means that the number of messages sent exceeded the allowed limit within a specific time frame.

Action:

    • Review the failed records in the run history.
    • Resubmit these records after the indicated interval to avoid hitting the rate limit again.

Limitations

Rate Limiting

  • Description: Microsoft Teams enforces rate limits on the number of messages that can be sent to a channel within a given timeframe. Exceeding these limits can result in failed requests.
  • Impact: If too many alerts are sent in a short period, some messages may fail to deliver, requiring manual resubmission after the rate limit resets.

Message Size Restrictions

  • Description: Microsoft Teams imposes a limit on the size of messages that can be sent via webhooks.
  • Impact: Alerts containing large amounts of data or attachments may exceed this limit, resulting in message delivery failures. Consider summarizing data or using links to external resources.

Workflow Execution Time

  • Description: The time taken to process and send alerts through the workflow may vary depending on the number of alerts and the complexity of the workflow.
  • Impact: During high-traffic periods, there may be delays in receiving alerts in the Teams channel, which could affect timely notifications.

Dependency on Microsoft Teams Availability

  • Description: The successful delivery of alerts depends on the availability of Microsoft Teams services.
  • Impact: If Microsoft Teams experiences downtime or connectivity issues, alerts may not be delivered until services are restored.

Limited Error Handling in Workflow

  • Description: The workflow may not automatically handle certain types of errors, such as network failures or unexpected API responses.
  • Impact: Manual intervention may be required to identify and resolve issues when messages fail to send.

Refer to the Microsoft Documentation for more details about rate-limit and throttling limit based on subscription types:

Share this Doc

Microsoft Teams Plugin for Ticket Orchestrator

Or copy link

In this topic ...