The FortiSOAR for Microsoft Teams application (app) builds a bridge for seamless integration with FortiSOAR, allowing you to leverage the power of FortiSOAR as part of your daily communications and threat investigation routines.
The FortiSOAR For Microsoft Teams app enables end-to-end communication with Microsoft Teams. You can add the integration app to your Microsoft Teams workspace to use the Microsoft Teams integrations that are currently available:
@mentions in Microsoft Teams. The list of supported @mentions is as follows:
@FortiSOAR createAlert command to create an alert in FortiSOAR using the alert creation form.@FortiSOAR createIndicator command to create an indicator in FortiSOAR. Optionally, you can add an indicator value to this command, in the format, @fortisoar createIndicator [indicator_value] to add an indicator in FortiSOAR and get the latest enrichment back to Microsoft Teams within seconds.@FortiSOAR enrichIP [IP Address] command to enrich the provided indications. This returns the information about the specified indicator using the configured threat intelligence connectors such as VirusTotal, IP Stack, etc. @FortiSOAR availableCommands command lists all the available tags that can be used to trigger a playbook. @FortiSOAR invokePlaybook [playbook tag] command to trigger a playbook in FortiSOAR. You must ensure that playbooks that require to be triggered from Microsoft Teams have the default bot_enabled tag added to the playbooks.approval_blockIndicators_msteams', and the default 'bot_enabled'. Generally, msteams is added to the tag so that it can be distinguished from any other existing tags. To trigger this playbook from Microsoft Teams, use the @FortiSOAR invokePlaybook approval_blockIndicators_msteams command.@FortiSOAR help command to display the available commands and their usage details.createAlert command.Once you have set up the FortiSOAR for Microsoft Teams application, you can begin using the app as described in the FortiSOAR-Microsoft Teams Application Usage topic.
FortiSOAR For Microsoft Teams Application: 1.0.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Microsoft Teams connector Version Tested on: 3.0.0
Authored By: Fortinet
Microsoft.BotService/*/read
Microsoft.BotService/*/write
Microsoft.BotService/*/deleteBot Services'
Applied AI services | Bot services page, click Create:
Bot Services page, select Azure Bot:
Azure Bot page, click Create:
Create an Azure Bot > Basic Tags page, enter the following details for the service:

Review + Create page. :
Clicking Create initializes the deployment of the Azure Bot.
After a successful deployment of the Azure Bot service, you need to add Microsoft Teams as a communication channel.
FortiSOARMSTeamsBOT page.
Microsoft Teams page select the Terms of Service option, and click Agree:

After successfully enabling the Microsoft Teams channel in Azure deployment, you need to configure the Microsoft Teams communication channel in Azure.
IMPORTANT: You must have "admin" access in Azure to configure the Microsoft Teams channel in Azure.
Open the page of the Azure Bot service you have created on the Azure portal, in our example the FortiSOARMSTeamsBOT page.
Configuration page, enter the following details:
https://<FortiSOAR_Public_Instance URL>/msteamsbot/api/messages
Configuration page, click the Manage Password link that appears alongside the Microsoft App ID field to open the Certificates & secrets page.Add a client secret dialogAdd a client secret dialog enter the following details:

IMPORTANT: The value of the client's secret (password) is visible only once initially; therefore you must remember to store the password. This is the value that you need to specify while configuring the Microsoft Teams Connector bi-directional communication. When you select the 'Enable Bot Communication' option connector's configuration page, you require to enter this value in the App Password field.To set up the FortiSOAR for Microsoft Teams app on Microsoft Teams, you must upload the attached FortiSOAR_MSTeams_APP.zip file in the Microsoft Teams 'Apps' section after updating the included 'manifest.json' file included in the zip file.
id" and "botId" parameters with your App ID and save the file: 
“name” > “short” parameter in the manifest.json. In our case, we have added "FortiSOAR" so "FortiSOAR" is displayed when you add the app to Microsoft Teams.“short” parameter must contain FortiSOAR (case-insensitive) for example it could be Demofortisoar or fortisoarBot.manifest.json file.

Built for your org section:

Built for your org section displays Open:
NOTE: To delete an existing app, "Teams Administrator" access is required.


IMPORTANT: The bi-directional communication between Microsoft Teams and FortiSOAR is supported only on FortiSOAR nodes, i.e., this feature is currently not supported on FSR Agent nodes. Also, bi-directional communication between Microsoft Teams and FortiSOAR is not supported in an air-gapped environment.
bot_enabled tag fails.@FortiSOAR createAlert and @FortiSOAR createIndicator commands on Microsoft Teams to create an alert or indicator in FortiSOAR. It also contains the 'Enrich IP' playbook that can be triggered from Microsoft Teams to enrich an IP address using the enrichIP command, and the 'Enrich IP > Enrichment' playbook that enriches an IP address using VirusTotal and IPStack as threat intelligence solutions and displays the summary on Microsoft Teams application.IMPORTANT: If you have multiple instances of FortiSOAR on which you want to enable bi-directional integration with Microsoft Teams, then you need to create, configure, and install separate apps for each instance of FortiSOAR. Also, note that in this case the name specified in the “short” parameter must be unique and must contain FortiSOAR as a keyword.
Once you have completed setting up FortiSOAR for Microsoft Teams app on Azure, configured the Microsoft Teams connector, and installed the FortiSOAR For Microsoft Teams Solution pack, the bridge enabling integration of FortiSOAR with Microsoft Teams is ready for end-to-end communication between FortiSOAR and Microsoft Teams.
Once you have added the 'FortiSOAR' app in the 'Demo' Team in Microsoft Teams as described in the 'Setting up FortiSOAR for Microsoft Teams app on Microsoft Teams' topic, you can begin using the integration using @FortiSOAR:

If you need any help at any time with the supported '@mentions' commands or the list of tags labels that can be used to trigger playbooks, you can type @FortiSOAR help in the teams or chats that have the FortiSOAR app added, 'Demo' in our example. The following image displays the list of commands that can be used to trigger playbooks from Microsoft Teams:

Using @mentions creates conversation threads in Microsoft Teams.
The various integrations between Microsoft Teams and FortiSOAR are achieved using FortiSOAR Playbooks therefore, you can view the progress of integration using the 'Executed Playbook Logs' in FortiSOAR.
To quickly add an alert in FortiSOAR using the @mentions, in your 'Demo' channel, type @FortiSOAR createAlert:

This displays the following input form in which you can fill in details to create the alert in FortiSOAR:

Once you complete filling in the details click Create Alert, which displays appropriate messages, and adds the alert in FortiSOAR:

The FortiSOAR app in Microsoft Teams displays messages for the successful execution of actions or appropriate error messages for failures of actions. For example, once the alert is added in FortiSOAR, a message such as "Done! Alert 'Demo Alert' successfully created. View Alert", is displayed as part of the conversation thread as displayed in the above image.
Also, an alert named "Demo Alert" is added to your FortiSOAR instance:

Similarly, you can add an indicator in FortiSOAR by running the @FortiSOAR createIndicator command in the 'Demo' team. This command displays an indicator creation input form that you can fill out and submit the indicator.
You can also quickly add an indicator in FortiSOAR without requiring the input form to be displayed by specifying the indicator value along with @mentions in the @FortiSOAR createIndicator <indicatorValue> format. For example, type the @FortiSOAR createIndicator gumblar.cn command in the 'Demo' team:

This adds an indicator with its value set to 'gumblar.cn' in your FortiSOAR instance:

This example explains how you can trigger the 'Enrich IP' playbook that is included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection and has already been enabled to be triggered from Microsoft Teams using @mentions:

The 'Enrich IP' playbook already has the default 'bot_enabled' tag, as well as the 'enrich_ip_msteams' tag, which is the command that you will use to trigger this playbook. Also, this playbook has already set the current conversation's context. To get the current conversations' context, use vars.bot_context.conversation_id that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook. To run this playbook successfully, you must have configured threat intelligence connectors, which would analyze the submitted IP. In the case of this sample playbook, you must have the VirusTotal and IPStack connectors configured on your FortiSOAR instance. For the recommendations and requirements on how to create a playbook to be triggered from Microsoft Teams, see the How to create a custom playbook that can be triggered from Microsoft Teams topic.
To enrich an IP address from Microsoft Teams, invoke the 'Enrich IP' playbook using @FortiSOAR enrichIP <IPValue> command. For example, type @FortiSOAR enrichIP 1.1.1.1 in the 'Demo' team. Since both the VirusTotal and IPStack connectors are configured, the indicator reputation summary from both VirusTotal and IPStack is displayed as a 'Thread' in the 'Demo' channel:

IMPORTANT: To use the @FortiSOAR invokePlaybook command, you must use a 'Manual Input' step to collect response/input from users; i.e., direct input to the command is not supported. For example, @FortiSOAR invokePlaybook enrich_ip_msteams 1.1.1 fails with the 'Playbook with specified tag "enrich_ip_msteams 1.1.1.1" not found' message.
You can use @FortiSOAR availableCommands to list all available tags that can be used to trigger a playbook in FortiSOAR as displayed in the following image:

To use 'Microsoft Teams' as a channel for the delivery of manual input, you must create the playbook as defined in the 'Manual Input' topic of the "Triggers and Steps" chapter in the "Playbooks Guide" that is part of FortiSOAR Product Documentation. In brief, you need to keep the following in mind when designing a manual input step that delivers input prompts to users on Microsoft Teams:


conversations/ to ?ctx.In the following image, the ID of the conversation, FortiSOAR, is 19:d632.....spaces:
conversations/ to ?ctx.In the following image, the ID of the group chat, DevTest Group Chat is 19:3cea.....@thread.v2:

Get a link to the team popup, from which you can copy the link to the channel:

Once you have created the manual input playbook based on the required criteria, you can trigger the same in FortiSOAR.Once triggered, the playbook sends the input prompt to the Microsoft Teams users based on the manual input step configuration.


Once the form is submitted the manual input playbook resumes its execution based on user responses. You can see the progress of the Manual Input playbooks in the 'Executed Playbook Logs' in FortiSOAR:
The 'Executed Playbook Logs' in FortiSOAR in the ENV of the Manual Input step contains the 'bot_context' variable with a 'source' parameter that contains the source (Microsoft Teams) from which the playbook is triggered:

NOTE: Keep in mind that 'Manual Input' delivers the input form to users in Microsoft Teams using the 'Send Manual Input/Approval Form to Microsoft Teams' action of the Microsoft Teams Connector. FortiSOAR uses the 'Send Manual Input/Approval Form to Microsoft Teams' action to internally prepare the mapping code for the form object as expected by Microsoft Teams and renders that form in Microsoft Teams. If you want to send customized messages directly to Microsoft Teams users or teams, then you can use the Microsoft Teams connector's 'Send Chat Message' or 'Send Channel Message' actions respectively, instead of using 'Manual Input'.
Keep the following points in mind while creating a FortiSOAR playbook that can be triggered from Microsoft Teams using @mentions, i.e., the @FortiSOAR invokeplaybook command:
bot_enabled' tag to the playbook. getApproval_BlockIndicator_msteams'. _msteams' to the tag helps in achieving this objective. However, if the same tag is added to multiple playbooks, then the latest created playbook gets triggered.{{vars.bot_context.conversation_id}} that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook. bot_response to send all responses from FortiSOAR to Microsoft Teams.You can refer to the sample playbooks included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection, which is shipped with the FortiSOAR For Microsoft Teams solution pack.
NOTE: Ensure that appropriate permissions to the "Playbook Appliance" are assigned to the playbooks that are triggered from the FortiSOAR for Microsoft Teams application.
The FortiSOAR for Microsoft Teams application (app) builds a bridge for seamless integration with FortiSOAR, allowing you to leverage the power of FortiSOAR as part of your daily communications and threat investigation routines.
The FortiSOAR For Microsoft Teams app enables end-to-end communication with Microsoft Teams. You can add the integration app to your Microsoft Teams workspace to use the Microsoft Teams integrations that are currently available:
@mentions in Microsoft Teams. The list of supported @mentions is as follows:
@FortiSOAR createAlert command to create an alert in FortiSOAR using the alert creation form.@FortiSOAR createIndicator command to create an indicator in FortiSOAR. Optionally, you can add an indicator value to this command, in the format, @fortisoar createIndicator [indicator_value] to add an indicator in FortiSOAR and get the latest enrichment back to Microsoft Teams within seconds.@FortiSOAR enrichIP [IP Address] command to enrich the provided indications. This returns the information about the specified indicator using the configured threat intelligence connectors such as VirusTotal, IP Stack, etc. @FortiSOAR availableCommands command lists all the available tags that can be used to trigger a playbook. @FortiSOAR invokePlaybook [playbook tag] command to trigger a playbook in FortiSOAR. You must ensure that playbooks that require to be triggered from Microsoft Teams have the default bot_enabled tag added to the playbooks.approval_blockIndicators_msteams', and the default 'bot_enabled'. Generally, msteams is added to the tag so that it can be distinguished from any other existing tags. To trigger this playbook from Microsoft Teams, use the @FortiSOAR invokePlaybook approval_blockIndicators_msteams command.@FortiSOAR help command to display the available commands and their usage details.createAlert command.Once you have set up the FortiSOAR for Microsoft Teams application, you can begin using the app as described in the FortiSOAR-Microsoft Teams Application Usage topic.
FortiSOAR For Microsoft Teams Application: 1.0.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Microsoft Teams connector Version Tested on: 3.0.0
Authored By: Fortinet
Microsoft.BotService/*/read
Microsoft.BotService/*/write
Microsoft.BotService/*/deleteBot Services'
Applied AI services | Bot services page, click Create:
Bot Services page, select Azure Bot:
Azure Bot page, click Create:
Create an Azure Bot > Basic Tags page, enter the following details for the service:

Review + Create page. :
Clicking Create initializes the deployment of the Azure Bot.
After a successful deployment of the Azure Bot service, you need to add Microsoft Teams as a communication channel.
FortiSOARMSTeamsBOT page.
Microsoft Teams page select the Terms of Service option, and click Agree:

After successfully enabling the Microsoft Teams channel in Azure deployment, you need to configure the Microsoft Teams communication channel in Azure.
IMPORTANT: You must have "admin" access in Azure to configure the Microsoft Teams channel in Azure.
Open the page of the Azure Bot service you have created on the Azure portal, in our example the FortiSOARMSTeamsBOT page.
Configuration page, enter the following details:
https://<FortiSOAR_Public_Instance URL>/msteamsbot/api/messages
Configuration page, click the Manage Password link that appears alongside the Microsoft App ID field to open the Certificates & secrets page.Add a client secret dialogAdd a client secret dialog enter the following details:

IMPORTANT: The value of the client's secret (password) is visible only once initially; therefore you must remember to store the password. This is the value that you need to specify while configuring the Microsoft Teams Connector bi-directional communication. When you select the 'Enable Bot Communication' option connector's configuration page, you require to enter this value in the App Password field.To set up the FortiSOAR for Microsoft Teams app on Microsoft Teams, you must upload the attached FortiSOAR_MSTeams_APP.zip file in the Microsoft Teams 'Apps' section after updating the included 'manifest.json' file included in the zip file.
id" and "botId" parameters with your App ID and save the file: 
“name” > “short” parameter in the manifest.json. In our case, we have added "FortiSOAR" so "FortiSOAR" is displayed when you add the app to Microsoft Teams.“short” parameter must contain FortiSOAR (case-insensitive) for example it could be Demofortisoar or fortisoarBot.manifest.json file.

Built for your org section:

Built for your org section displays Open:
NOTE: To delete an existing app, "Teams Administrator" access is required.


IMPORTANT: The bi-directional communication between Microsoft Teams and FortiSOAR is supported only on FortiSOAR nodes, i.e., this feature is currently not supported on FSR Agent nodes. Also, bi-directional communication between Microsoft Teams and FortiSOAR is not supported in an air-gapped environment.
bot_enabled tag fails.@FortiSOAR createAlert and @FortiSOAR createIndicator commands on Microsoft Teams to create an alert or indicator in FortiSOAR. It also contains the 'Enrich IP' playbook that can be triggered from Microsoft Teams to enrich an IP address using the enrichIP command, and the 'Enrich IP > Enrichment' playbook that enriches an IP address using VirusTotal and IPStack as threat intelligence solutions and displays the summary on Microsoft Teams application.IMPORTANT: If you have multiple instances of FortiSOAR on which you want to enable bi-directional integration with Microsoft Teams, then you need to create, configure, and install separate apps for each instance of FortiSOAR. Also, note that in this case the name specified in the “short” parameter must be unique and must contain FortiSOAR as a keyword.
Once you have completed setting up FortiSOAR for Microsoft Teams app on Azure, configured the Microsoft Teams connector, and installed the FortiSOAR For Microsoft Teams Solution pack, the bridge enabling integration of FortiSOAR with Microsoft Teams is ready for end-to-end communication between FortiSOAR and Microsoft Teams.
Once you have added the 'FortiSOAR' app in the 'Demo' Team in Microsoft Teams as described in the 'Setting up FortiSOAR for Microsoft Teams app on Microsoft Teams' topic, you can begin using the integration using @FortiSOAR:

If you need any help at any time with the supported '@mentions' commands or the list of tags labels that can be used to trigger playbooks, you can type @FortiSOAR help in the teams or chats that have the FortiSOAR app added, 'Demo' in our example. The following image displays the list of commands that can be used to trigger playbooks from Microsoft Teams:

Using @mentions creates conversation threads in Microsoft Teams.
The various integrations between Microsoft Teams and FortiSOAR are achieved using FortiSOAR Playbooks therefore, you can view the progress of integration using the 'Executed Playbook Logs' in FortiSOAR.
To quickly add an alert in FortiSOAR using the @mentions, in your 'Demo' channel, type @FortiSOAR createAlert:

This displays the following input form in which you can fill in details to create the alert in FortiSOAR:

Once you complete filling in the details click Create Alert, which displays appropriate messages, and adds the alert in FortiSOAR:

The FortiSOAR app in Microsoft Teams displays messages for the successful execution of actions or appropriate error messages for failures of actions. For example, once the alert is added in FortiSOAR, a message such as "Done! Alert 'Demo Alert' successfully created. View Alert", is displayed as part of the conversation thread as displayed in the above image.
Also, an alert named "Demo Alert" is added to your FortiSOAR instance:

Similarly, you can add an indicator in FortiSOAR by running the @FortiSOAR createIndicator command in the 'Demo' team. This command displays an indicator creation input form that you can fill out and submit the indicator.
You can also quickly add an indicator in FortiSOAR without requiring the input form to be displayed by specifying the indicator value along with @mentions in the @FortiSOAR createIndicator <indicatorValue> format. For example, type the @FortiSOAR createIndicator gumblar.cn command in the 'Demo' team:

This adds an indicator with its value set to 'gumblar.cn' in your FortiSOAR instance:

This example explains how you can trigger the 'Enrich IP' playbook that is included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection and has already been enabled to be triggered from Microsoft Teams using @mentions:

The 'Enrich IP' playbook already has the default 'bot_enabled' tag, as well as the 'enrich_ip_msteams' tag, which is the command that you will use to trigger this playbook. Also, this playbook has already set the current conversation's context. To get the current conversations' context, use vars.bot_context.conversation_id that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook. To run this playbook successfully, you must have configured threat intelligence connectors, which would analyze the submitted IP. In the case of this sample playbook, you must have the VirusTotal and IPStack connectors configured on your FortiSOAR instance. For the recommendations and requirements on how to create a playbook to be triggered from Microsoft Teams, see the How to create a custom playbook that can be triggered from Microsoft Teams topic.
To enrich an IP address from Microsoft Teams, invoke the 'Enrich IP' playbook using @FortiSOAR enrichIP <IPValue> command. For example, type @FortiSOAR enrichIP 1.1.1.1 in the 'Demo' team. Since both the VirusTotal and IPStack connectors are configured, the indicator reputation summary from both VirusTotal and IPStack is displayed as a 'Thread' in the 'Demo' channel:

IMPORTANT: To use the @FortiSOAR invokePlaybook command, you must use a 'Manual Input' step to collect response/input from users; i.e., direct input to the command is not supported. For example, @FortiSOAR invokePlaybook enrich_ip_msteams 1.1.1 fails with the 'Playbook with specified tag "enrich_ip_msteams 1.1.1.1" not found' message.
You can use @FortiSOAR availableCommands to list all available tags that can be used to trigger a playbook in FortiSOAR as displayed in the following image:

To use 'Microsoft Teams' as a channel for the delivery of manual input, you must create the playbook as defined in the 'Manual Input' topic of the "Triggers and Steps" chapter in the "Playbooks Guide" that is part of FortiSOAR Product Documentation. In brief, you need to keep the following in mind when designing a manual input step that delivers input prompts to users on Microsoft Teams:


conversations/ to ?ctx.In the following image, the ID of the conversation, FortiSOAR, is 19:d632.....spaces:
conversations/ to ?ctx.In the following image, the ID of the group chat, DevTest Group Chat is 19:3cea.....@thread.v2:

Get a link to the team popup, from which you can copy the link to the channel:

Once you have created the manual input playbook based on the required criteria, you can trigger the same in FortiSOAR.Once triggered, the playbook sends the input prompt to the Microsoft Teams users based on the manual input step configuration.


Once the form is submitted the manual input playbook resumes its execution based on user responses. You can see the progress of the Manual Input playbooks in the 'Executed Playbook Logs' in FortiSOAR:
The 'Executed Playbook Logs' in FortiSOAR in the ENV of the Manual Input step contains the 'bot_context' variable with a 'source' parameter that contains the source (Microsoft Teams) from which the playbook is triggered:

NOTE: Keep in mind that 'Manual Input' delivers the input form to users in Microsoft Teams using the 'Send Manual Input/Approval Form to Microsoft Teams' action of the Microsoft Teams Connector. FortiSOAR uses the 'Send Manual Input/Approval Form to Microsoft Teams' action to internally prepare the mapping code for the form object as expected by Microsoft Teams and renders that form in Microsoft Teams. If you want to send customized messages directly to Microsoft Teams users or teams, then you can use the Microsoft Teams connector's 'Send Chat Message' or 'Send Channel Message' actions respectively, instead of using 'Manual Input'.
Keep the following points in mind while creating a FortiSOAR playbook that can be triggered from Microsoft Teams using @mentions, i.e., the @FortiSOAR invokeplaybook command:
bot_enabled' tag to the playbook. getApproval_BlockIndicator_msteams'. _msteams' to the tag helps in achieving this objective. However, if the same tag is added to multiple playbooks, then the latest created playbook gets triggered.{{vars.bot_context.conversation_id}} that gets the ID of the team, chat, or group chat in Microsoft Teams that has triggered the playbook. bot_response to send all responses from FortiSOAR to Microsoft Teams.You can refer to the sample playbooks included in the "02 - Use Case - FortiSOAR for Microsoft Teams" playbook collection, which is shipped with the FortiSOAR For Microsoft Teams solution pack.
NOTE: Ensure that appropriate permissions to the "Playbook Appliance" are assigned to the playbooks that are triggered from the FortiSOAR for Microsoft Teams application.