Microsoft Teams action type

[peterschretlen]

Describe the feature:

This action would send notifications to Microsoft Teams using their Incoming Webhook connector

• Overview of incoming webhooks
• Webhook documentation / how-to

Note:
There was some feedback on the Slack connector that you should be able to select a person / channel to send a message to instead of having a connector per. It's feedback worth considering for this connector.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[CovertLeopard]

I'd love to see this functionality as well. That said, you can do it manually pretty simply. You just use the "Custom Webhook" destination option and put your Teams URL in the webhook URL field. Then remove the default parameter.

On your action, you just have to format the json properly. Here is an example of what I am using in the "Message" field on my trigger:

{
   "type":"message",
    "text":"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}"
 }

This successfully sends the alert to Teams via the webhook:

[keenan-s]

@CovertLeopard any chance you can share the full sample config you setup for this action? Is the message snippet you sent above part of the body field? Thanks!

[CovertLeopard]

@keenan-s I'm not sure what you are looking for exactly, so I'll share all the things.

In Teams, you need to enable the "Incoming Webhook" connector. Provide a name, change the icon if you want and then create it and you are given a unique URL.

Now, in Kibana, this is how our destination is setup:

This is how the monitor is setup:

This is how the monitor definition is setup:

JSON from the extraction query:

{
    "size": 10,
    "query": {
        "bool": {
            "must": [
                {
                    "query_string": {
                        "query": "TEXT/SEARCH QUERY GOES HERE",
                        "fields": [],
                        "type": "best_fields",
                        "default_operator": "or",
                        "max_determinized_states": 10000,
                        "enable_position_increments": true,
                        "fuzziness": "AUTO",
                        "fuzzy_prefix_length": 0,
                        "fuzzy_max_expansions": 50,
                        "phrase_slop": 0,
                        "escape": false,
                        "auto_generate_synonyms_phrase_query": true,
                        "fuzzy_transpositions": true,
                        "boost": 1
                    }
                }
            ],
            "filter": [
                {
                    "range": {
                        "@timestamp": {
                            "from": "{{period_end}}||-30m",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

For the Action, it's a Notification. Give it a name and choose your Teams webhook from the "Destination name" dropdown.

Then paste the JSON below into the "Message" field.

{
   "type":"message",
    "text":"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}"
 }

[keenan-s]

@CovertLeopard thanks a lot. I was setting the watcher alerts up using just a full JSON payload. Your example helped, here is what I ended up using:

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "rsc-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": {
                "wildcard": {
                  "json.level.keyword": "ERROR"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "MS_TEAMS": {
      "webhook": {
        "scheme": "https",
        "host": "outlook.office.com",
        "port": 443,
        "method": "post",
        "path": "/webhook/<redacted>",
        "params": {},
        "headers": {
          "content-type": "application/json"
        },
        "body": """{
   "type":"message",
   "text":"Alert - RSC errors just entered alert status. Please investigate the issue.
- Number of errors: {{ctx.payload.hits.total}}
- Kibana URL: [here](https://kibana-hostname-here/app/kibana#/discover?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'{{ctx.trigger.scheduled_time}}%7C%7C-5m',to:'{{ctx.trigger.triggered_time}}'))&_a=(columns:!(json.env,json.level,json.app,json.module,json.msg),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'1c0f4a20-f470-11ea-a58f-1b61f2d2e1ba',key:json.level,negate:!f,params:(query:ERROR),type:phrase),query:(match_phrase:(json.level:ERROR)))),index:'1c0f4a20-f470-11ea-a58f-1b61f2d2e1ba',interval:auto,query:(language:kuery,query:''),sort:!()))"
}"""
      }
    }
  }
}

[ymao1]

Note:
There was some feedback on the Slack connector that you should be able to select a person / channel to send a message to instead of having a connector per. It's feedback worth considering for this connector.

It looks like when you are setting up an Incoming Webhook app on Teams, you must select the specific channel when configuring the webhook. It doesn't look like there is an option to configure a team-wide webhook and specify the channel in the webhook message body (even though the wording when setting up the webhook seems to indicate you can, I'm unable to just enter a team name).

[pmuellr]

It doesn't look like there is an option to configure a team-wide webhook and specify the channel in the webhook message body

Not a surprise. But I will note that I think for Slack, we are using one particular endpoint to post messages, that has a number of constraints like only posting to a specific channel. But there are others that provide more options - we have an issue to look into this (I think it will also be needed to post images). So ... makes me wonder if there is a "simple" API and a "richer" API for Teams, like there is for Slack.

Also note, for Slack, you can essentially target individuals/teams/channels via @blarg and #foo within the message text itself, so ... that's the workaround for this, for now.

In any case, I think starting with something "simpler" that we can grow over time, works for me.