🌟🌟 🕒 10 mins
In this section we will work with your playbook assigned to your "personal SAP incident" raised in Quest 1 to execute a workflow to inform the SAP security folks with an actionable alert in Microsoft Teams.
-
Navigate to the resource group
dsag-participants
or chooseActive Playbooks
from the Automation pane in Sentinel to find your Logic App (or in other words Sentinel playbook). The instance name contains your user name (e.g. something like sap-user-block-DSAGXX). -
Familiarize yourself with the playbook and its various steps. Are you able to identify how the SAP user lock request is submitted to SAP? What Teams Channel ID is being used?
Note: The Microsoft Teams connector supports dynamic dropdowns showing the names of your Teams team and channel. However, for maintenance and good design practice on the Logic App we chose to use variables for re-usability. This way you may change the target channel for all occurrences of the Teams task on the Logic App in one place. You may retrieve the IDs from Teams via the three dots ... and
Get link to team
,Get link to channel
or from the URL once you navigated there.
-
Open a new tab and navigate to teams.microsoft.com, login with your given M365 sandbox user (e.g. [email protected]) and find your Teams Channel within the team
DSAG Hands-On Session 1
. Your incident notifications from Sentinel will show up here. -
In case your alert rule didn't trigger an execution yet, feel free to intentionally execute from the Sentinel Incident UI. Choose again Actions -> Run playbook.
- Find the adaptive card posted to your Teams Channel and click on the
Block User on...
button.
Note - Optionally see the Outlook message informing about and linking to the Microsoft Teams message.
- You will see the adaptive card change. Shortly after a message from SAP will be posted as reply to your initial block request in the same Teams thread.
Note - you may follow the detailed execution steps from your Logic App's
Runs history
. Navigate to the Overview pane and choose the ribbonRuns history
.
- Verify that you locked the SAP backend user that caused the incident (yourself 😉 in this case) by trying to log in via the SAP WebGUI. And don't worry we posted the unlock option via Teams too.