FortiSOAR For Microsoft Teams Application

FortiSOAR For Microsoft Teams Application v1.0.0

Home FortiSOAR Connectors FortiSOAR For Microsoft Teams Application

1.0.0

FortiSOAR For Microsoft Teams Application v1.0.0

About the FortiSOAR For Microsoft Teams Application

The FortiSOAR for Microsoft Teams application (app) builds a bridge for seamless integration with FortiSOAR, allowing you to leverage the power of FortiSOAR as part of your daily communications and threat investigation routines.

The FortiSOAR For Microsoft Teams app enables end-to-end communication with Microsoft Teams. You can add the integration app to your Microsoft Teams workspace to use the Microsoft Teams integrations that are currently available:

@Mentions Commands: Trigger FortiSOAR workflows by using @mentions in Microsoft Teams. The list of supported @mentions is as follows:
- @FortiSOAR createAlert command to create an alert in FortiSOAR using the alert creation form.
- @FortiSOAR createIndicator command to create an indicator in FortiSOAR. Optionally, you can add an indicator value to this command, in the format, @fortisoar createIndicator [indicator_value] to add an indicator in FortiSOAR and get the latest enrichment back to Microsoft Teams within seconds.
- @FortiSOAR enrichIP [IP Address] command to enrich the provided indications. This returns the information about the specified indicator using the configured threat intelligence connectors such as VirusTotal, IP Stack, etc.
- @FortiSOAR availableCommands command lists all the available tags that can be used to trigger a playbook.
- @FortiSOAR invokePlaybook [playbook tag] command to trigger a playbook in FortiSOAR. You must ensure that playbooks that require to be triggered from Microsoft Teams have the default bot_enabled tag added to the playbooks.
  An Example: A playbook used for getting approval from users to block a particular IP address contains the tags 'approval_blockIndicators_msteams', and the default 'bot_enabled'. Generally, msteams is added to the tag so that it can be distinguished from any other existing tags. To trigger this playbook from Microsoft Teams, use the @FortiSOAR invokePlaybook approval_blockIndicators_msteams command.
- @FortiSOAR help command to display the available commands and their usage details.
IMPORTANT: You do not need to use @mentions, i.e., @FortiSOAR when you are running commands directly in conversations with a user (one-to-one direct chat; instead you can just directly type the command. For example, directly use the createAlert command.
Manual Inputs: 'Microsoft Teams' can be used as a channel for the delivery of manual inputs, including approval prompts to achieve seamless integration between Microsoft Teams and FortiSOAR. You can trigger manual input playbooks in FortiSOAR, send the manual input or approval form to users on Microsoft Teams to get their responses, and based on the responses, resume the playbooks in FortiSOAR.

Process of setting up the bi-directional integration between MS Teams and FortiSOAR

Setup the FortiSOAR for Microsoft Teams app on Azure
Enable the Microsoft Teams channel in Azure
Configure the Microsoft Teams channel in Azure
Set up FortiSOAR for Microsoft Teams app on Microsoft Teams
Configuring the FortiSOAR For Microsoft Teams Application in your FortiSOAR instance

Once you have set up the FortiSOAR for Microsoft Teams application, you can begin using the app as described in the FortiSOAR-Microsoft Teams Application Usage topic.

Version Information:

FortiSOAR For Microsoft Teams Application: 1.0.0

FortiSOAR™ Version Tested on: 7.4.1-3167

Microsoft Teams connector Version Tested on: 3.0.0

Authored By: Fortinet

Setting up FortiSOAR for Microsoft Teams app on Azure

Configuring the Azure Bot Service for FortiSOAR for Microsoft Teams app

Create a user who has an “Access control (IAM)” role with the following permissions assigned:
Microsoft.BotService/*/read Microsoft.BotService/*/write Microsoft.BotService/*/delete
Log in to the Azure Portal using your credentials.
On the Azure Home page, use the Search bar and search for 'Bot Services'
Select Bot Services, and on the Applied AI services | Bot services page, click Create:
On the Bot Services page, select Azure Bot:
On the Azure Bot page, click Create:
On the Create an Azure Bot > Basic Tags page, enter the following details for the service:
- Bot handle: Specify the name of the Azure Bot that you want to create. For example, enter FortiSOARMSTeamsBot.
- Subscription: Select your Azure subscription.
- Resource group: Select your resource group option. A resource group is a collection of resources that share the same lifecycle, permission, and policies.
- Data residency: You can use this option to limit the regions where data is stored and processed and the channels available for your bot. If you do not want to limit the regions, then select Global.
- Pricing tier: Select a pricing tier for your Azure Bot resource. By default, this is set to Standard. Bot Service Premium Messages pricing includes messages sent and received using the Premium Channel.
- Type of App: Select the type of application that you want to create based on user requirements. You can choose between Multi-Tenant or Single Tenant. Select Multi-Tenant for the FortiSOAR For Microsoft Teams app.
- Creation Type: Select the creation type, i.e., use a new Microsoft ID or Use existing app registration for the FortiSOAR For Microsoft Teams app based on your requirements. Select Multi-Tenant for the FortiSOAR For Microsoft Teams app.
(Optional) If you want to categorize the bot using tags, click the Tags tab and add the appropriate tags in the key-value format.
Click Review + Create:
Once all validations are passed, click Create on the Review + Create page. :
Clicking Create initializes the deployment of the Azure Bot.
After the Azure Bot service is successfully created, you can view its details, as shown in the following image:

Enabling the Microsoft Teams communication channel in Azure

After a successful deployment of the Azure Bot service, you need to add Microsoft Teams as a communication channel.

Open the page of the Azure Bot service you have created on the Azure portal, in our example the FortiSOARMSTeamsBOT page.
From the left menu, click Channels:
On the Microsoft Teams page select the Terms of Service option, and click Agree:
Select the Messaging option as per your requirement and click Apply to save and enable the Microsoft Teams channel for FortiSOARMSTeamsBOT.

NOTE: Calling is not supported by FortiSOARMSTeamsBOT.

Configuring the Microsoft Teams channel in Azure

After successfully enabling the Microsoft Teams channel in Azure deployment, you need to configure the Microsoft Teams communication channel in Azure.

IMPORTANT: You must have "admin" access in Azure to configure the Microsoft Teams channel in Azure.

Open the page of the Azure Bot service you have created on the Azure portal, in our example the FortiSOARMSTeamsBOT page.
From the left menu, click Configuration.
On the Configuration page, enter the following details:
- In the Messaging endpoint field, specify the FortiSOAR public URL that will be used to communicate with Microsoft Teams in the following format:
  https://<FortiSOAR_Public_Instance URL>/msteamsbot/api/messages
- The Microsoft App ID field, auto-generates the APP ID for your Microsoft Teams channel, which is used for bi-directional communication.
  IMPORTANT: This is the ID that you need to specify while configuring the Microsoft Teams Connector bi-directional communication. When you select the 'Enable Bot Communication' option connector's configuration page, you are required to enter this value in the App ID field.
  
  IMPORTANT: The FortiSOAR For Microsoft Teams Application is supported on version 3.0.0 or later of the Microsoft Teams connector. For more information on the Microsoft Teams connector, see the Microsoft Teams Connector document on the FortiSOAR Connectors page.
- Click Apply to save your changes
Next, you need to get 'Certificates & secrets' that are also required to set up bi-directional communication between Microsoft Teams and FortiSOAR:
1. On the Configuration page, click the Manage Password link that appears alongside the Microsoft App ID field to open the Certificates & secrets page.
2. Click +New client secret to display the Add a client secret dialog
3. In the Add a client secret dialog enter the following details:
  - Description: Enter the description for the MS Teams client's secret
  - Expires: Select the time frame after which this secret will expire. You can choose Custom from the drop-down list and specify a custom time range. The recommended time range is 6 months.
  - Click Add.
    This creates the client secret for the application:
    IMPORTANT: The value of the client's secret (password) is visible only once initially; therefore you must remember to store the password. This is the value that you need to specify while configuring the Microsoft Teams Connector bi-directional communication. When you select the 'Enable Bot Communication' option connector's configuration page, you require to enter this value in the App Password field.
    If you do not store the password or forget the password, you require to regenerate this password, the steps for which are mentioned in the Use the Azure portal to Create an Azure Bot resource document.

Setting up FortiSOAR for Microsoft Teams app on Microsoft Teams

To set up the FortiSOAR for Microsoft Teams app on Microsoft Teams, you must upload the attached FortiSOAR_MSTeams_APP.zip file in the Microsoft Teams 'Apps' section after updating the included 'manifest.json' file included in the zip file.

Permissions Required

Users who require to upload the app to Microsoft Teams must be assigned a role with the minimum permission of "Teams Communications Support Engineer".
Users who require to approve the app request in Microsoft Teams must be assigned a role with the minimum permission of "Teams Administrator".

Procedure

Download the attached 'FortiSOAR_MSTeams_APP.zip' file and open the manifest.json file.
Replace the values of the "id" and "botId" parameters with your App ID and save the file:

See the Configuring the Microsoft Teams channel in Azure topic for information on how to get an App ID.
NOTE: The name of the app that is displayed in the Apps section of Microsoft Teams is the name that you added in “name” > “short” parameter in the manifest.json. In our case, we have added "FortiSOAR" so "FortiSOAR" is displayed when you add the app to Microsoft Teams.
Also, note that the name that you specify in the “short” parameter must contain FortiSOAR (case-insensitive) for example it could be Demofortisoar or fortisoarBot.
IMPORTANT: Do not modify any other value in the manifest.json file.
Create a new zip file containing the updated manifest.json.
Upload this zip file in the Microsoft Teams 'Apps' section:
1. Open Microsoft Teams, and then click the Apps icon on the left navigation bar, and click Manage your Apps:
2. Click Upload an app, and then select the Submit an app to your org option.
  
  Browse to the location where you have saved the updated FortiSOAR_MSTeams_APP.zip file.
Add your app to Teams as per your requirement:
Click Add to add the FortiSOAR_MSTeams_APP as your personal app.
OR
Use the drop-down menu to add the FortiSOAR_MSTeams_APP to a Team or Chat.
Once the administrator approves the app, the FortiSOAR_MSTeams_APP gets displayed in the Built for your org section:
Add the app to the team or chat as required by clicking FortiSOAR in the 'Built for your org' section and from the Add drop-down, click Add to a team and then select the team in which you want to add 'FortiSOAR', and then click Set up a bot. For our example, we have added the "FortiSOAR" app to Microsoft Teams and added the same to the 'Demo' channel:

Similarly, you can add the 'FortiSOAR' app to any chat or group chat by clicking Add to a chat and then selecting the chat or group chat in which you want to add 'FortiSOAR'.
Once you have added the app to any team or chat, then the app in the Built for your org section displays Open:

NOTE: After the app is approved and the app is added to respective teams, both the "Teams Administrator" and all the Microsoft Team Users might have to log out and log back into Teams to view the app that is newly added to Teams.
For more information, see the Uploading an App on Teams document.

Troubleshooting

How to delete an existing app in case of any failure

NOTE: To delete an existing app, "Teams Administrator" access is required.

Log in to the Microsoft Teams admin center using the https://admin.teams.microsoft.com/ link
From the left-hand navigation menu, select Teams apps, and then click Manage apps:
Use the 'Search' bar to search for the installed FortiSOAR app.
Click the FortiSOAR app, and then click ..., then click Action > Delete to delete the app:

Configuring the FortiSOAR For Microsoft Teams Application in your FortiSOAR instance

IMPORTANT: The bi-directional communication between Microsoft Teams and FortiSOAR is supported only on FortiSOAR nodes, i.e., this feature is currently not supported on FSR Agent nodes. Also, bi-directional communication between Microsoft Teams and FortiSOAR is not supported in an air-gapped environment.

Ensure that you have installed the FortiSOAR For Microsoft Teams Solution Pack using Content Hub in your FortiSOAR instance. For more information on the FortiSOAR For Microsoft Teams Solution Pack, see the Content Hub Portal.
In brief, the FortiSOAR For Microsoft Teams Solution Pack does the following:
- Installs the Microsoft Teams connector. The FortiSOAR For Microsoft Teams Application is supported on version 3.0.0 or later of the Microsoft Teams connector.
- Adds the following new channels to 'Notifications':
  - Microsoft Teams Link channel: Sends a message to the Microsoft Teams application when a rule using this channel is triggered.
  - Microsoft Teams channel: Sends an inline interactive form to the Microsoft Teams application when a rule using this channel is triggered.
- Adds the following new delivery rules:
  - Microsoft Teams > Notify For External Manual Input: Sends an inline interactive form to the Microsoft Teams application when the manual input step for Microsoft Teams is triggered.
  - Microsoft Teams > Send Manual Input Link To Microsoft Teams: Sends a link to Microsoft Teams to click and open the manual input form on the FortiSOAR interface.
  - Microsoft Teams > Notify On Playbook Failure: Sends an error when a playbook with a bot_enabled tag fails.
- Adds a playbook collection name "02 - Use Case - FortiSOAR for Microsoft Teams" that contains playbooks to support triggering the @FortiSOAR createAlert and @FortiSOAR createIndicator commands on Microsoft Teams to create an alert or indicator in FortiSOAR. It also contains the 'Enrich IP' playbook that can be triggered from Microsoft Teams to enrich an IP address using the enrichIP command, and the 'Enrich IP > Enrichment' playbook that enriches an IP address using VirusTotal and IPStack as threat intelligence solutions and displays the summary on Microsoft Teams application.
- Adds a new system picklist named 'External Channel' used to display the supported external channel options in the Manual Input step. Currently, 'Email', 'Slack', and 'Microsoft Teams' are the channels that can be used to get inputs from users outside FortiSOAR using Manual Inputs.
Ensure that version 3.0.0 or later of the Microsoft Teams connector is configured. For more information, see the Microsoft Teams Connector document on the FortiSOAR Connectors page.
To configure the connector, open the Microsoft Teams connector, and in the Microsoft Teams Connector Configurations popup, you are required to select the Enable Bot Communication checkbox.
Once you select this option, then specify the following parameters based on your configured FortiSOAR for Microsoft Teams Application:
- App Service URL: Specify the service URL of the FortiSOAR for the Microsoft Teams Application.
  NOTE: The Service URL differs based on the specified region.
- App ID: Specify the Application ID of your configured FortiSOAR for Microsoft Teams Application. See the Configuring the Microsoft Teams channel in Azure topic for information on how to get an App ID.
- App Password: Specify the Application Secret of your FortiSOAR for Microsoft Teams Application. See the Configuring the Microsoft Teams channel in Azure topic for information on how to get an App Password.
To enable Manual Inputs delivery and response on the Microsoft Teams channel, ensure that you configure manual inputs appropriately. For more information, see the Example of running a Manual Input playbook that uses Microsoft Teams as a delivery medium topic and the 'Manual' Inputs topic in the Triggers & Steps chapter of the Playbooks Guide, which is part of the FortiSOAR Product Documentation.

IMPORTANT: If you have multiple instances of FortiSOAR on which you want to enable bi-directional integration with Microsoft Teams, then you need to create, configure, and install separate apps for each instance of FortiSOAR. Also, note that in this case the name specified in the “short” parameter must be unique and must contain FortiSOAR as a keyword.

FortiSOAR-Microsoft Teams Application Usage

Once you have completed setting up FortiSOAR for Microsoft Teams app on Azure, configured the Microsoft Teams connector, and installed the FortiSOAR For Microsoft Teams Solution pack, the bridge enabling integration of FortiSOAR with Microsoft Teams is ready for end-to-end communication between FortiSOAR and Microsoft Teams.

Once you have added the 'FortiSOAR' app in the 'Demo' Team in Microsoft Teams as described in the 'Setting up FortiSOAR for Microsoft Teams app on Microsoft Teams' topic, you can begin using the integration using @FortiSOAR:

If you need any help at any time with the supported '@mentions' commands or the list of tags labels that can be used to trigger playbooks, you can type @FortiSOAR help in the teams or chats that have the FortiSOAR app added, 'Demo' in our example. The following image displays the list of commands that can be used to trigger playbooks from Microsoft Teams:

Using @mentions creates conversation threads in Microsoft Teams.

The various integrations between Microsoft Teams and FortiSOAR are achieved using FortiSOAR Playbooks therefore, you can view the progress of integration using the 'Executed Playbook Logs' in FortiSOAR.

Example of adding an alert or indicator using @mentions

Adding an alert

To quickly add an alert in FortiSOAR using the @mentions, in your 'Demo' channel, type @FortiSOAR createAlert:

This displays the following input form in which you can fill in details to create the alert in FortiSOAR:

Once you complete filling in the details click Create Alert, which displays appropriate messages, and adds the alert in FortiSOAR:

The FortiSOAR app in Microsoft Teams displays messages for the successful execution of actions or appropriate error messages for failures of actions. For example, once the alert is added in FortiSOAR, a message such as "Done! Alert 'Demo Alert' successfully created. View Alert", is displayed as part of the conversation thread as displayed in the above image.
Also, an alert named "Demo Alert" is added to your FortiSOAR instance:

Similarly, you can add an indicator in FortiSOAR by running the @FortiSOAR createIndicator command in the 'Demo' team. This command displays an indicator creation input form that you can fill out and submit the indicator.

Adding an indicator with the indicator value specified

You can also quickly add an indicator in FortiSOAR without requiring the input form to be displayed by specifying the indicator value along with @mentions in the @FortiSOAR createIndicator <indicatorValue> format. For example, type the @FortiSOAR createIndicator gumblar.cn command in the 'Demo' team:

This adds an indicator with its value set to 'gumblar.cn' in your FortiSOAR instance:

Example of invoking a FortiSOAR playbook from Microsoft Teams

This example explains how you can trigger the 'Enrich IP' playbook that is included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection and has already been enabled to be triggered from Microsoft Teams using @mentions:

The 'Enrich IP' playbook already has the default 'bot_enabled' tag, as well as the 'enrich_ip_msteams' tag, which is the command that you will use to trigger this playbook. Also, this playbook has already set the current conversation's context. To get the current conversations' context, use vars.bot_context.conversation_id that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook. To run this playbook successfully, you must have configured threat intelligence connectors, which would analyze the submitted IP. In the case of this sample playbook, you must have the VirusTotal and IPStack connectors configured on your FortiSOAR instance. For the recommendations and requirements on how to create a playbook to be triggered from Microsoft Teams, see the How to create a custom playbook that can be triggered from Microsoft Teams topic.

To enrich an IP address from Microsoft Teams, invoke the 'Enrich IP' playbook using @FortiSOAR enrichIP <IPValue> command. For example, type @FortiSOAR enrichIP 1.1.1.1 in the 'Demo' team. Since both the VirusTotal and IPStack connectors are configured, the indicator reputation summary from both VirusTotal and IPStack is displayed as a 'Thread' in the 'Demo' channel:

IMPORTANT: To use the @FortiSOAR invokePlaybook command, you must use a 'Manual Input' step to collect response/input from users; i.e., direct input to the command is not supported. For example, @FortiSOAR invokePlaybook enrich_ip_msteams 1.1.1 fails with the 'Playbook with specified tag "enrich_ip_msteams 1.1.1.1" not found' message.

Example of using availableCommands

You can use @FortiSOAR availableCommands to list all available tags that can be used to trigger a playbook in FortiSOAR as displayed in the following image:

Example of running a Manual Input playbook that uses Microsoft Teams as a delivery medium

To use 'Microsoft Teams' as a channel for the delivery of manual input, you must create the playbook as defined in the 'Manual Input' topic of the "Triggers and Steps" chapter in the "Playbooks Guide" that is part of FortiSOAR Product Documentation. In brief, you need to keep the following in mind when designing a manual input step that delivers input prompts to users on Microsoft Teams:

In the 'Medium' section, select the Collect input from external users option, and choose Microsoft Teams as the available channel. Next, choose whether you want to collect user responses by either sending a link to a page that contains the input form to the users (the Send input form link to users option) or by rendering the rich input form inline on the Microsoft Teams channel for users to provide their inputs (the Send interactive input forms inline on external messaging app option).
In the Provide Email Address(s) field, add the email addresses of users, teams, or channel paths from whom you want the response.
The Provide Email Address field supports the following input types:
- Specific user's email address, when you want to send the manual input to a specific Microsoft Teams user.
- Name of the team, when you want to send the manual input to a specific Microsoft Teams channel. For example, in the following image valid team names are "Test Bot Integration", "Solutions", and "FortiSOAR Announcement". Based on the team's name you have specified; the bot will reply on the configured channel, for example, "General" of the respective team:
  
  NOTE: To use Teams name or channel path as input, Teams or Channel name should not have “/” present.
- Channel Path, when you want to send the manual input to a specific team's channel. You can specify the channel path separated by “/”. For example, in the following image, some valid inputs are: “Solutions/Ask Solutions”, “Solutions/Info Sec”, “FortiSOAR Announcement/Announcements”, “FortiSOAR Announcement/Training”:
- Conversation ID, when you want to send the manual input to a specific conversation.
  To get the ID of a particular conversation in Microsoft Teams, open Microsoft Teams in the browser then click the particular conversation (FortiSOAR) to which you want to send the manual input, and copy the conversation ID after conversations/ to ?ctx.In the following image, the ID of the conversation, FortiSOAR, is 19:d632.....spaces:
- Group Chat Conversation ID, when you want to send the manual input to a group chat.
  To get the ID of a group chat in Microsoft Teams, open Microsoft Teams in the browser and then click that group chat, and then copy the ID from after conversations/ to ?ctx.In the following image, the ID of the group chat, DevTest Group Chat is 19:3cea.....@thread.v2:
- Link of Channel, Team, or Message, when you want to send the manual input to a team, channel, or as a direct message:
  - To get the ID of a channel in Microsoft Teams, you need to go to that channel listed on the left side of the app. Select More options (...) and then click Get link to channel. This displays the Get a link to the channel popup, from which you can copy the link:
  - To get the ID of a team in Microsoft Teams, you need to go to that Team listed on the left side of the app. Select More options (...) and then click Get link to team. This displays the Get a link to the team popup, from which you can copy the link to the channel:
  - To get the ID of a message in Microsoft Teams, you need to go to that message listed on the left side of the app. Select More options (...) and then click Copy link. This copies the message ID to the clipboard:
In the 'Input Prompt Design' section, design the input form that you want to present to Microsoft Teams users by adding text and fields.
NOTE: The 'JSON', 'Email Template', and 'Rich Text ' fields are not supported in an input prompt. If you select any of these fields, then they are not displayed in the message displayed in Microsoft Teams.
In the 'Response Mapping' section, add the steps to be executed by the playbook once the users provide their response.

Once you have created the manual input playbook based on the required criteria, you can trigger the same in FortiSOAR.Once triggered, the playbook sends the input prompt to the Microsoft Teams users based on the manual input step configuration.

If the manual input step is designed with the Send input form link to users option, then in the specific team, chat, or group chat, the 'Demo' team in the case of our example, receives a form with a link to the input form that contains the manual input. Clicking the input prompt link (Open input form in the following image) opens the form on a new page, where users can provide their responses and submit the form:
If the manual input step is designed with the Send interactive input forms inline on external messaging apps option, then in the Apps > FortiSOAR > Messages tab, an interactive form is displayed to the respective Microsoft Teams users, where they can provide their inputs and submit the form:

Once the form is submitted the manual input playbook resumes its execution based on user responses. You can see the progress of the Manual Input playbooks in the 'Executed Playbook Logs' in FortiSOAR:
The 'Executed Playbook Logs' in FortiSOAR in the ENV of the Manual Input step contains the 'bot_context' variable with a 'source' parameter that contains the source (Microsoft Teams) from which the playbook is triggered:

NOTE: Keep in mind that 'Manual Input' delivers the input form to users in Microsoft Teams using the 'Send Manual Input/Approval Form to Microsoft Teams' action of the Microsoft Teams Connector. FortiSOAR uses the 'Send Manual Input/Approval Form to Microsoft Teams' action to internally prepare the mapping code for the form object as expected by Microsoft Teams and renders that form in Microsoft Teams. If you want to send customized messages directly to Microsoft Teams users or teams, then you can use the Microsoft Teams connector's 'Send Chat Message' or 'Send Channel Message' actions respectively, instead of using 'Manual Input'.

How to create a custom playbook that can be triggered from Microsoft Teams

Keep the following points in mind while creating a FortiSOAR playbook that can be triggered from Microsoft Teams using @mentions, i.e., the @FortiSOAR invokeplaybook command:

Add the default add 'bot_enabled' tag to the playbook.
Add a tag that represents the action performed by the playbook, when the user triggers the playbook. For example, if the playbook is used to get approval from users to block a particular indicator, then you can add a tag named 'getApproval_BlockIndicator_msteams'.
This tag is used in the command used to trigger the playbook.
Note: It is recommended to create unique tags so that appropriate playbooks get triggered, and add'_msteams' to the tag helps in achieving this objective. However, if the same tag is added to multiple playbooks, then the latest created playbook gets triggered.
It is recommended that the 'Start' step of such playbooks should be of type 'Referenced'.
Add a manual input step to pass inputs from Microsoft Teams to FortiSOAR. See the Example of running a Manual Input playbook that uses Microsoft Teams as a delivery medium topic.
To get the current conversations' context, use {{vars.bot_context.conversation_id}} that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook.
To send the response from FortiSOAR to Microsoft Teams it is recommended that you use a common variable, for example, bot_response to send all responses from FortiSOAR to Microsoft Teams.

You can refer to the sample playbooks included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection, which is shipped with the FortiSOAR For Microsoft Teams solution pack.
NOTE: Ensure that appropriate permissions to the "Playbook Appliance" are assigned to the playbooks that are triggered from the FortiSOAR for Microsoft Teams application.

FortiSOAR_MSTeams_APP.zip

About the FortiSOAR For Microsoft Teams Application

@Mentions Commands: Trigger FortiSOAR workflows by using @mentions in Microsoft Teams. The list of supported @mentions is as follows:
- @FortiSOAR createAlert command to create an alert in FortiSOAR using the alert creation form.
- @FortiSOAR createIndicator command to create an indicator in FortiSOAR. Optionally, you can add an indicator value to this command, in the format, @fortisoar createIndicator [indicator_value] to add an indicator in FortiSOAR and get the latest enrichment back to Microsoft Teams within seconds.
- @FortiSOAR enrichIP [IP Address] command to enrich the provided indications. This returns the information about the specified indicator using the configured threat intelligence connectors such as VirusTotal, IP Stack, etc.
- @FortiSOAR availableCommands command lists all the available tags that can be used to trigger a playbook.
- @FortiSOAR invokePlaybook [playbook tag] command to trigger a playbook in FortiSOAR. You must ensure that playbooks that require to be triggered from Microsoft Teams have the default bot_enabled tag added to the playbooks.
  An Example: A playbook used for getting approval from users to block a particular IP address contains the tags 'approval_blockIndicators_msteams', and the default 'bot_enabled'. Generally, msteams is added to the tag so that it can be distinguished from any other existing tags. To trigger this playbook from Microsoft Teams, use the @FortiSOAR invokePlaybook approval_blockIndicators_msteams command.
- @FortiSOAR help command to display the available commands and their usage details.
IMPORTANT: You do not need to use @mentions, i.e., @FortiSOAR when you are running commands directly in conversations with a user (one-to-one direct chat; instead you can just directly type the command. For example, directly use the createAlert command.
Manual Inputs: 'Microsoft Teams' can be used as a channel for the delivery of manual inputs, including approval prompts to achieve seamless integration between Microsoft Teams and FortiSOAR. You can trigger manual input playbooks in FortiSOAR, send the manual input or approval form to users on Microsoft Teams to get their responses, and based on the responses, resume the playbooks in FortiSOAR.

Process of setting up the bi-directional integration between MS Teams and FortiSOAR

Setup the FortiSOAR for Microsoft Teams app on Azure
Enable the Microsoft Teams channel in Azure
Configure the Microsoft Teams channel in Azure
Set up FortiSOAR for Microsoft Teams app on Microsoft Teams
Configuring the FortiSOAR For Microsoft Teams Application in your FortiSOAR instance

Once you have set up the FortiSOAR for Microsoft Teams application, you can begin using the app as described in the FortiSOAR-Microsoft Teams Application Usage topic.