- 31 Jan 2023
- 3 Minutes to read
Microsoft Teams chatbot
- Updated on 31 Jan 2023
- 3 Minutes to read
This tutorial demonstrates several useful Teams use cases to help you get started and give you ideas for how you can use Teams in your Torq workflows.
First set up the available Microsoft integrations required for these flows. Continue reading to get an idea of what you can do with them.
Teams use cases covered in this tutorial:
- Trigger a Torq workflow by running a command in Teams
- Send a message in Teams
- Send a question using Teams (Basic)
- Send a question using Teams (Advanced)
The tutorial is based on an example workflow triggered when a user runs a command in Teams to investigate an IP address (or a list of addresses). The workflow loops over the IPs provided by the user, scans each IP with VirusTotal after getting the user confirmation, attempts to retrieve the analysis results, and offers to continue the investigation when relevant.
Trigger a Torq workflow by running a command in Teams
You can trigger Torq workflows without leaving Teams. Follow these instructions to set up a Teams-Bot command called check-ip.
Once you've created the check-ip command, you can use it to trigger a Torq workflow from within Teams.
Create a webhook that waits for a message from the Teams-Bot and contains the check-ip string. When you run the check-ip command in any channel, the workflow will be triggered. You can add as many unique commands as you would like to trigger different workflows.
Send a message in Teams
You can use the Post Message in Conversation V2 step in your Torq workflow to send a message to a Teams channel, or directly to a user.
Follow these instructions to set up a Teams integration to start using the steps in a Torq workflow.
The example below shows how you can use information from the trigger event JSON to send a confirmation message. The step Post Message in Conversation V2 was renamed to the meaningful Confirm Receipt of Command.
$.event.conversation.id to send the message in the channel the workflow was triggered from (this will automatically respond to either the channel or user).
You can also use the AUTO_INSTALL_BOT parameter to automatically install the Teams bot in the user or team channel to which you want to send the message, in the event that it has not yet been configured for that recipient. This will ensure that they are able to receive this, and future, messages.
Send a question using Teams (Basic)
You can use the Teams Bot Ask a Question step in your Torq workflow to send a message that contains a question and retains the user's response. The user response can be used to direct the rest of your workflow.
Let's return to the example workflow. You can loop over the IPs extracted from the check-ip command and confirm whether a VirusTotal scan is required for each one. The Ask a Question step in our example has been renamed to Scan IP addresses.
In our example, the verification is sent to the system administrator, but you can send it to any channel or user you would like.
You need to provide the responses the user can choose from, and select if they are presented as buttons or drop-downs. Additionally, you can add a timeout for how long to wait for the user response, as well as a default response in the event the time limit is reached.
The user response can be referenced by using
$.scan_ip_addresses.selected_response. If the user responds with Yes, the IP is scanned with VirusTotal.
If the VirusTotal scan returns no data or the IP is found to be harmless, the user is prompted with a message suggesting further investigation of the IP address using a different vendor. In our example, we used Adaptive Cards.
Send a question using a Teams Adaptive Card (Advanced)
The user is first asked if they would like to further investigate the IP address, using the Follow-up Question. If they select yes, they are then asked which vendors they would like to use for this additional check.
The Adaptive Card Form step returns the JSON response and can be referenced to determine how the workflow continues. In this example, we can see that the user has asked to check the IP address with two additional vendors.
The values of the selected vendors are passed to a nested workflow, which then checks the IP address in the background and returns the results to the main workflow.
At the end of the workflow, the user receives a message with the final results indicating if the IP address is malicious or benign.