As a Consultant at ITQ, I have gained extensive knowledge and experience in End User Computing (EUC) and Cyber Security over the past decade. In 2018, I was awarded the VMware vExpert status, and I have been part of the vExpert EUC subprogram since 2020. As a security enthusiast, I am always looking for ways to improve my skills and stay up-to-date on the latest technologies. In this blog post, I will guide you through the steps for creating a custom connector in VMware Workspace ONE Intelligence that can send messages to your Microsoft Teams channel(s).

To follow along with this blog post, you will need a Workspace ONE Intelligence tenant, a Microsoft Office 365 subscription with Teams, and Postman to create and modify the API. I am using my VMware TestDrive environment and a Microsoft 365 Developer account for this tutorial.

Step 1: Create an Alerts Channel in Workspace ONE Intelligence

In my Microsoft 365 Developer environment, I have created a new Team and some additional channels to simulate a SOC team. In the alerts channel, I want Workspace ONE Intelligence to post any new Carbon Black alerts with a severity of 6 or higher. To set this up, I’ve created the following Automation in Workspace ONE Intelligence:

1. Go to Integrations > Outbound Connectors > Add Custom Connector.

2. Copy the webhook URL into the Base URL field, and select No Authentication in the Auth Type field. Click Save to add the connector.

3. Click on the … (dots) of the Microsoft Teams connector and select View Actions.

4. Drag the created JSON file to the upload field to import the Microsoft Teams API.

Step 2: Import the Microsoft Teams JSON File

To import the Microsoft Teams JSON file, follow these steps:

1. Click here to download the Microsoft Teams JSON file from the EUC samples page on Github.

2. Import the JSON file into Postman.

3. Insert the webhook URL in each of the POST requests.

4. Click on the … (dots) at the Microsoft Teams level and select Export.

5. Leave it on the default Collection v2.1, click on the Export button, and save the JSON file on your computer.

Step 3: Create an Automation in Workspace ONE Intelligence

To set up an automation that sends a message to Microsoft Teams when a new Carbon Black alert with a severity of 6 or higher is detected, follow these steps:

1. Go to Automations > Add > Custom Workflow.

2. Select Category > Carbon Black > Carbon Black Threats.

3. In the Filter (IF) field, select Carbon Black Severity Score > Greater Than or Equal To > 6.

4. In the Action (Then) field, enter a message you want to send to the teams channel. I used the following message: “An alert with Severity Score ${carbonblack.threat.threatinfo_score} has been raised for ${carbonblack.threat.deviceinfo_devicename} in the Carbon Black Console.”

5. Click Test to start the test.

6. Select one of the alerts found and click Next (if you don’t see any alerts, change the filter to a lower severity).

7. The text in the text field should automatically be adjusted, click Test to launch send the message to Microsoft Teams.

8. Open your teams channel and see the result!

I hope this blog post has been informative and helpful. If you have any questions or comments, please let me know. When I’m offline, I enjoy spending time with my family, playing sports, and grilling on my BBQs.