Microsoft Teams is a business communication platform with features such as messaging, video conferencing, screen sharing and file sharing.
D3 SOAR is providing REST operations to function with Microsoft Teams. For example, you can create channels and send messages from the D3 SOAR system to Microsoft Teams.
In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported using Teamwork.Migrate.All and/or migration APIs.
The Teamwork.Migrate.All permission is only supported for migration. In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported. See the Create team - Microsoft Graph v1.0 API documentation for more information.
List Channel Members
This method supports federation. Only a user who is a member of the shared channel can retrieve the channel member list.
Get User Details
This request might have replication delays for users that were recently created, updated, or deleted.
List Joined Teams
This API doesn't return the host team of the shared channel that the user is a direct member of. Use the List associated teams API, to retrieve the host teams of the shared channels that the user has access to.
List Teams
This request might have replication delays for groups that were recently created, updated, or deleted.
List Users
This request might have replication delays for users that were recently created, updated, or deleted.
Send Message
We don't recommend that you use this API for data migration. It does not have the throughput necessary for a typical migration.
It is a violation of the terms of use to use Microsoft Teams as a log file. Only send messages that people will read.
This command is designed to only send messages to channels, you cannot send messages to chat.
Connection
To connect to Microsoft Teams from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Default
Tenant ID
The tenant ID to authenticate the API connection.
hN2-***-***-***-***
Grant Type
The grant type to authenticate the API connection.
client_credentials
Grant Type: client_credentials
Client ID
The client ID to authenticate the API connection.
zJJ************Xev
Client Secret
The client secret to authenticate the API connection.
sSl************tLs
API Version
The version of the API to use for the connection.
v2.1
Grant Type: authorization_code
Client ID
The client ID to authenticate the API connection.
aPy***********iWv
Client Secret
The client secret to authenticate the API connection.
EiQ************lv4
Authorization Code
The authorization code for OAuth2.0 authentication. Click the "Get Authorization" button on the Connection page to automatically generate an authorization code.
iIm************gPv
Callback URL
The callback URL is used for OAuth2.0 with the grant type of authorization code. Add this URL to your app’s Redirect URIs. In the Azure portal, navigate to Microsoft Entra ID Protection > App Registrations > Your App > Authentication.
https://***/***Callback.aspx
Refresh Token
The refresh token for authentication with the grant type of authorization code. Click the "Get Refresh Token" button on the Connection page to automatically generate a refresh token.
This parameter is read-only and Auto-generated.
Mk4*************************Sp0
API Version
The version of the API to use for the connection.
v2.1
Permission Requirements
Each endpoint in the Microsoft Teams API requires a certain permission scope. The following are required scopes for the commands in this integration:
Reader Note
Delegated permissions are the permissions required if the connection was authenticated using the authorization_code grant type.
Application permissions are the permissions required if the connection was authenticated using the client_credentials grant type.
Permissions marked with ** are supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.
Navigate to the top search bar, then search and select App registrations.
If you already have created apps, you can use one of them. Skip to step 5 to obtain the Client ID & Tenant ID. If you do not have an app, click + New registration to create one.
Register the application.
Enter an application Name.
For Supported account types, select Accounts in this organizational directory only (<Your Directory Name> only - Single tenant).
Click Register.
In the App Overview tab, copy and save the Application(client) ID and Directory(tenant) ID. They will be required to build the integration connection in D3 SOAR. Navigate to Client credentials, then click Add a certificate or secret.
Click + New Client Secret. Enter a Description for the client secret, and select a client secret expiry period using the Expires dropdown menu. Click Add. Note: The client ID will not be able to access the API resources after the client secret expires. You must renew the client secret to keep the client ID active.
Copy and save the Secret Value. It will be required to build the integration connection in D3 SOAR connection. Note: The created Client Secret can only be viewed once. Store it in a secure location before leaving the page.
Configure the Redirect URIs. Click Authentication on the left navigation menu, then Add URI. Input the D3 SOAR redirect URI (see step 6 of Configuring D3 SOAR to Work with Microsoft Teams). Click Save.
Configure the API permissions. Click API permissions on the left navigation menu, then + Add a permission. Select Microsoft Graph, then search and select the required Delegated permissions and Application permissions. After selecting the required permissions, click Add permissions. See Permission Requirements for the required permissions for each command in this integration.
Reader Note
Delegated permissions are the permissions required if the connection was authenticated using the authorization_code grant type.
Application permissions are the permissions required if the connection was authenticated using the client_credentials grant type.
Some permissions may need to be granted admin consent for your directory (d3uat in the sample screenshot) to use. Ensure Grant admin consent for <Your Directory> is checked.
You may see Not granted for <Your Directory> in the status column. Those are the ungranted permissions you want to use. After successfully granting permissions, a green checkmark will appear under the permission status column for the corresponding permissions. If your login account does not have admin privileges, ask your admin to grant consent.
Configuring D3 SOAR to Work with Microsoft Teams
Log in to D3 SOAR.
Find the Microsoft Teams integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Microsoft Teams in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Microsoft Teams.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. Grant Type: Client Credentials
4. Click Get Authorization. You will be redirected to Azure and asked to log in with your credentials. Note: You must be logged in to an admin account to grant approval. If you use a non-admin account, you will only be able to send a request for approval to your admin.
5. Click Get Refresh Token. The refresh token will be automatically generated and filled into the field. No further action is required.
7. Input the API Version. The default value is v2.1. Note: Some commands require the beta version of the API. Note: Some commands require the beta version of the API. Input beta to use the beta version of the API.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
Microsoft Teams includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Add Members to Private Channel
Adds members to a specified private channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Email or User IDs, Team ID and Channel ID or Channel Name are required parametersto run this command.
Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id. In order to add a user to a private channel, the user must already be in the specified team. You may check if the user is in the team by using the List Team Members command. If the user is not in the desired team, you can add the user to the team by running the Add Members to Team command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel IDs can be found from the returned raw data at the path $.value[*].id. Channel Names can be found from the returned raw data at the path $.value[*].displayName.
You can determine if a channel is private with the List Channels command. In the returned raw data, check the path $.value[*].membershipType for the channel you want to check. If the value is "private" then it can be used to run this command.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API Version. Other API Versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.
Ensure the correct user role is provided for the Role parameter when running this command. If the member has already been added, modifying the role will result in a successful response without any changes made.
Input
Input Parameter
Required/Optional
Description
Example
Email or User IDs
Required
The email(s) or user ID(s) of the member to add to the private channel. Email and User IDs can be obtained using the List Users command.
[
"*****",
“*****@*****.*****.com”
]
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
***************************************
Channel ID or Channel Name
Required
The ID or name of the private channel to add the specified members. Channel IDs and Channel Names can be obtained using the List Channels command.
*****@*****.*****.com
Role
Required
The assigned role (i.e. Owner or Member) of the specified members.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@ODATA.CONTEXT
@ODATA.TYPE
ID
ROLES
DISPLAYNAME
VISIBLEHISTORYSTARTDATETIME
USERID
EMAIL
TENANTID
https://graph.microsoft.com/*****
#microsoft.graph.aadUserConversationMember
*****
[ "owner" ]
1
1/1/0001 12:00:00 AM
*****
*****
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Members to Private Channel failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Operation not supported for this Channel.
Error Sample Data
Add Members to Private Channel failed.
Status Code: 400
Message: Operation not supported for this Channel.
Add Members to Team
Adds members to a specified team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Email or User IDs and Team ID are required parametersto run this command.
Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Email or User IDs
Required
The email(s) or user ID(s) of the member to add to the team. Email and User IDs can be obtained using the List Users command.
[
"*****",
“*****@*****.*****.com”
]
Team ID
Required
The ID of the team that the channel belongs to. Team IDs can be obtained using the List Teams command.
***************************************
Role
Required
The assigned role (i.e. Owner or Member) of the specified members.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@ODATA.CONTEXT
@ODATA.TYPE
ID
ROLES
DISPLAYNAME
VISIBLEHISTORYSTARTDATETIME
USERID
EMAIL
TENANTID
https://graph.microsoft.com/*****
#microsoft.graph.aadUserConversationMember
*****
[ "owner" ]
1
1/1/0001 12:00:00 AM
*****
*****
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Members to Team failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: User ID Not Found.
Error Sample Data
Add Members to Team failed.
Status Code: 404.
Message: User ID Not Found.
Create Channel
Creates a channel in the specified team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team IDis a required parameterto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Preexisting channel names cannot be used when creating a new channel, including channels that were deleted. Inputting a channel name that was used before will return an error.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to create the channel in. Team IDs can be obtained using the List Teams command.
***************************************
Channel Name
Required
The name of the channel.
Sample Private Channel
Channel Description
Optional
The description for the channel.
Description for Sample Private Channel
Channel Type
Optional
The channel type (i.e., Standard or Private) of the channel. The default value is Standard.
Private
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"@odata.context": "https://graph.microsoft.com/v*.*/***
"id": "*****",
"createdDateTime": "2021-09-28T21:18:57.754817Z",
"displayName": "My Private Channel 20",
"description": "create My Private Channel no description 20",
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/*****",
"membershipType": "private"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
{
"@odata.context": "https://graph.microsoft.com/v*.*/***
"id": "*****",
"createdDateTime": "2021-09-28T21:18:57.754817Z",
"displayName": "My Private Channel 20",
"description": "create My Private Channel no description 20",
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/*****",
"membershipType": "private"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/v*.*/***
id
*****
createdDateTime
9/28/2021 9:18:57 PM
displayName
My Private Channel 20
description
create My Private Channel no description 20
isFavoriteByDefault
email
webUrl
https://teams.microsoft.com/*****
membershipType
private
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Channel failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Channel name already existed, please use other name.
Error Sample Data
Create Channel failed.
Status Code: 400.
Message: Channel name already existed, please use other name.
Create Or Replace Schedule
Creates or replaces a schedule for the specified team.
Reader Note
Team ID is a required parameter to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the hamburger menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
The Act As Admin Account parameter is required when using the Client Credentials authentication type.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to create or replace the schedule for. Team IDs can be obtained using the List Teams command.
*****
Time Zone
Optional
The time zone database name used in the schedule. If this parameter is not defined, the default time zone is UTC time.
America/Vancouver
Enabled
Optional
The option to enable the team schedule. If this parameter is not defined, the default value is Disable.
True
Act As Admin Account
Optional
The email address of the admin account to use to create or replace the team schedule. Note: this parameter is required when using the Client Credentials authentication type. The specified account must have admin permissions in order to run this command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TeamID": "\"*****\"",
"Enabled": "\"true\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/v*.*/***
@odata.etag
"*****"
id
*****
enabled
True
timeZone
America/Vancouver
provisionStatus
Completed
provisionStatusCode
None
workforceIntegrationIds
[]
timeClockEnabled
False
openShiftsEnabled
True
swapShiftsRequestsEnabled
True
offerShiftRequestsEnabled
True
timeOffRequestsEnabled
True
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Or Replace Schedule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the team was not found, or you may not have access to it.
Error Sample Data
Create Or Replace Schedule failed.
Status Code: 404.
Message: Sorry, the team was not found, or you may not have access to it.
Create Scheduling Group
Creates a new scheduling group.
Reader Note
Team ID is a required parameter to run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the hamburger menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
The Act As Admin Account parameter is required when using the Client Credentials authentication type.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team for which to create a scheduling group. Team IDs can be obtained using the List Teams command.
*****
Scheduling Group Name
Required
The name of the scheduling group to be created.
Night Group 2023
User Emails
Optional
The email address(es) of the user(s) to be added to the scheduling group.
[ "*****@*****.*****.com"
]
Act As Admin Account
Optional
The email address of the admin account to use to create the scheduling group. Note: this parameter is required when using the Client Credentials authentication type. The specified account must have admin permissions in order to run this command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"GroupID": "\"TAG_*****\"",
"GroupName": "\"Night Group 2023\"",
"IsActive": "\"true\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Scheduling Group failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the team was not found, or you may not have access to it.
Error Sample Data
Create Scheduling Group failed.
Status Code: 404.
Message: Sorry, the team was not found, or you may not have access to it.
Create Shift
Creates a new shift instance in a schedule. Note: only accounts with admin permissions can create a shift.
Reader Note
Team ID and User Email are required parameters to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the hamburger menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
The input User Email must be a member of your input team. To check if the user is in the team, run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Team Members command in order to find the desired user. User Email can be obtained from the returned raw data at the path $.value[*].email. Use both values to run this command. If the desired user is not in the team, use the Add Members to Team command to add the desired user to the team first. Please note that some team members may not have a valid email to input for this command (the returned raw data at the path $.value[*].email for the user is "null"). Those users cannot be used to create shifts.
Scheduling Group ID is an optional parameter to run this command.
Run the List Scheduling Groups command to obtain Scheduling Group IDs. Scheduling Group IDs can be found from the returned raw data at the path $[*].value.id.
The Team ID and Scheduling Group ID must match if defining the Scheduling Group ID parameter. You can run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Scheduling Groups command to obtain the desired Scheduling Group ID. Use both values to run this command.
The Act As Admin Account parameter is required when using the Client Credentials authentication type.
Ensure to schedule adequate time when running this command in order to avoid overlapping shifts.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team for which to create a shift. Team IDs can be obtained using the List Teams command.
*****
User Email
Required
The email address of the user who takes the shift. The user must be a member of the specified team. User Email can be obtained using the List Team Members command.
*****@*****.*****.com
Act As Admin Account
Optional
The email address of the admin account to use to create the shift. Note: this parameter is required when using the Client Credentials authentication type.
*****@*****.*****.com
Scheduling Group ID
Optional
The ID of the scheduling group to which the shift will be added. The Scheduling Group ID can be obtained using the List Scheduling Groups command. If this parameter is not defined, the shift will be added to Other.
TAG_*****
Shift Version
Required
The version of the shift to be created. The available versions are Shared Shift or Draft Shift.
Shared Shift
Shift Name
Required
The name for the shift. Note: the shift name cannot be longer than 30 characters.
Day shift319 D - shared
Notes
Optional
The notes to add to the shift.
Please do inventory as part of your shift.
Shift Start Time
Required
The shift start date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.
2023-03-19 15:00
Shift End Time
Required
The shift end date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.
2023-03-20 00:00
Shift Activities
Optional
Daily activities or any additional breaks to be tracked with this shift. Note: in each activity object, displayName and startDateTime/endDateTime are required fields. The remaining fields are optional. StartDateTime and endDateTime are in UTC time and must be within the bounds of the shift.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
{'displayName': 'Day shift319 D - shared', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Shift failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the team was not found, or you may not have access to it.
Error Sample Data
Create Shift failed.
Status Code: 404.
Message: Sorry, the team was not found, or you may not have access to it.
Create Team
Creates a new team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
Input
Input Parameter
Required/Optional
Description
Example
Team Name
Required
The name of the new team.
Create Team Test
Description
Optional
The description for the new team.
Testing the the createteam command
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"teamID": "*****",
"status": "Successful"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
{
"teamID": "*****",
"status": "Successful"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TeamID": "\"*****\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
teamID
*****
status
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Team failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
Create Team failed.
Status Code: 400.
Message: unauthorized_client.
Delete Channels
Deletes the specified channels in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID and Channel ID or Channel Name are required parametersto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration.
When creating a team, a General channel will be created by default. General channels cannot be deleted.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
***************************************
Channel ID or Channel Name
Required
The ID or name of the channel to delete. Channel IDs and Channel Names can be obtained using the List Channels command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
teamID
*****
deletedChannelIDs
My Private Channel 15
status
Successful
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Channels failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: testchanneldoc is not existed.
Error Sample Data
Delete Channels failed.
Status Code: 404.
Message: testchanneldoc is not existed.
Delete Shifts
Deletes the specified shift(s) from the schedule.
Reader Note
Team ID and Shift IDs are required parameters to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the hamburger menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
Run the List Shifts command to obtain Shift IDs. Shift IDs can be found from the returned raw data at the path $[*].value.id. Shift IDs must match the input team. It is suggested to run the List Teams command to obtain the desired Team ID, then use that ID to run the List Shifts command. Use those values to run this command.
When using the Client Credentials authentication type, the Act As Admin Account parameter is required to run this command. If the Act As Admin Account parameter is not defined or the specified account does not have admin permissions, permissions will be insufficient to run this command.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to delete the scheduled shift(s) for. Team IDs can be obtained using the List Teams command.
*****
Shift IDs
Required
The ID(s) of the shift(s) to delete. Shift IDs can be obtained using the List Shifts command.
[
"SHFT_*****"
]
Act As Admin Account
Optional
The email address of the admin account to use to delete the shifts. Note: when using the Client Credentials authentication type, if this parameter is not defined or the specified account does not have admin permissions, permissions will be insufficient to run this command.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID
MESSAGE
SHFT_*****
Shift was successfully deleted.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Shifts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code:404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the shift was not found and may have been deleted.
Error Sample Data
Delete Shifts failed.
Status Code: 404.
Message: Sorry, the shift was not found and may have been deleted.
Delete Teams
Deletes specified team(s) in Microsoft Teams.
Reader Note
Input parameterTeam IDs is required to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
When deleted, Microsoft 365 groups are moved to a temporary container and can be restored within 30 days. After that time, they're permanently deleted. This isn't applicable to Security groups and Distribution groups which are permanently deleted immediately. To learn more, see deletedItems.
The following conditions apply for apps to delete role-assignable groups:
For delegated scenarios (using a connection authenticated with the authorization_code grant type), the app must be assigned the RoleManagement.ReadWrite.Directory delegated permission, and the calling user must be the creator of the group or a global administrator or a privileged role administrator in Microsoft Entra ID Protection.
For app-only scenarios (using a connection authenticated with the client_credentials grant type), the calling app must be the owner of the group or be assigned the RoleManagement.ReadWrite.Directory application permission or be assigned the Global Administrator or Privileged Role Administrator in Microsoft Entra ID Protection.
Input
Input Parameter
Required/Optional
Description
Example
Team IDs
Required
The ID(s) of the team(s) to delete. Team IDs can be obtained using the List Teams command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
DELETEDTEAMID
STATUS
*****
Successful
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Teams failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team IDs Not Found.
Error Sample Data
Delete Teams failed.
Status Code: 404.
Message: Team IDs Not Found.
List Channel Members
Retrieves a list of all members of the specified channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID and Channel ID or Channel Name are required parametersto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
*****
Channel ID or Channel Name
Required
The ID or name of the channel to list all members from. Channel IDs and Channel names can be obtained using the List Channels command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Channel Members failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: xxx is not channel Id or channel name existed.
Error Sample Data
List Channel Members failed.
Status Code: 404.
Message: xxx is not channel Id or channel name existed.
Get Message Reply
Retrieves a specified message reply from a channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID, Channel ID or Channel Name and Message ID are required parametersto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
Run the Send Message command to obtain Message IDs.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
***************************************
Channel ID or Channel Name
Required
The ID or name of the channel to retrieve the message reply from. Channel IDs and Channel Names can be obtained using the List Channels command.
*****
Message ID
Required
The ID of the message to retrieve its reply messages. Message IDs can be obtained using the Send Message command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Message Reply failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team ID Not Found.
Error Sample Data
Get Message Reply failed.
Status Code: 404.
Message: Team ID Not Found.
Get Shifts
Retrieves the properties and relationships of the specified shift objects by IDs.
Reader Note
Team ID and Shift IDs are required parameters to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the hamburger menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
Run the List Shifts command to obtain Shift IDs. Shift IDs can be found from the returned raw data at the path $.value[*].id. Shift IDs must match the input team. It is suggested to run the List Teams command to obtain the desired Team ID, then use that ID to run the List Shifts command. Use those values to run this command.
When using the Client Credentials authentication type, if the Act As Admin Account parameter is not defined or the specified account does not have admin permissions, only the shared version of the shift can be returned. The draft version cannot be retrieved. If the shift only has a draft version, permissions will be insufficient to run this command, the error "Sorry, you need to be an admin to do this." will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to retrieve scheduled shifts for. Team IDs can be obtained using the List Teams command.
*****
Shift IDs
Required
The ID(s) of the shift(s) to retrieve. Shift IDs can be obtained using the List Shifts command.
[
"SHFT_*****"
]
Act As Admin Account
Optional
The email address of the admin account to use to retrieve the draft version of the shared shift. Note: when using the Client Credentials authentication type, if this parameter is not defined or the specified account does not have admin permissions, only the shared version of the shift can be returned. The draft version cannot be retrieved. If the shift only has a draft version, permissions will be insufficient to retrieve the shift.
*****@*****.*****.com
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"@odata.context": "https://graph.microsoft.com/v*.*/***",
"@odata.etag": "\"*****\"",
"id": "SHFT_*****",
"createdDateTime": "2023-03-16T17:34:33.962Z",
"lastModifiedDateTime": "2023-03-16T18:16:30.005Z",
"schedulingGroupId": "TAG_*****",
"userId": "*****",
"lastModifiedBy": {
"application": null,
"device": null,
"user": {
"id": "*****",
"displayName": "*****",
"userIdentityType": "aadUser"
}
},
"sharedShift": {
"displayName": "Day shift319 D - shared",
"startDateTime": "2023-03-19T15:00:00Z",
"endDateTime": "2023-03-20T00:00:00Z",
"theme": "white",
"notes": "Please do inventory as part of your shift.",
"activities": [
{
"isPaid": true,
"startDateTime": "2023-03-19T18:00:00Z",
"endDateTime": "2023-03-19T18:45:00Z",
"code": "LT",
"displayName": "Lunch Time",
"theme": "white"
}
]
},
"draftShift": {
"displayName": "Day shift319 D - shared&draft",
"startDateTime": "2023-03-19T15:00:00Z",
"endDateTime": "2023-03-20T00:00:00Z",
"theme": "white",
"notes": "Please do inventory as part of your shift.",
"activities": [
{
"isPaid": true,
"startDateTime": "2023-03-19T18:00:00Z",
"endDateTime": "2023-03-19T18:45:00Z",
"code": "LT",
"displayName": "Lunch Time",
"theme": "white"
}
]
}
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
{'displayName': 'Day shift319 D - shared', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}
{'displayName': 'Day shift319 D - shared&draft', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Shifts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, you need to be an admin to do this.
Error Sample Data
Get Shifts failed.
Status Code: 403.
Message: Sorry, you need to be an admin to do this.
Get Team Details By Name
Returns details about the specified team(s) in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
The parameter Team Names is required to run this command.
Run the List Teams command to obtain Team Names. Team Names can be found in the returned raw data at the path $.value.[*].displayName.
The Team Name parameter only supports full names. Partial names or key word searches are not supported.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team Names
Required
The name(s) of the team(s) to retrieve corresponding details. Team Names can be obtained using the List Teams command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TeamIDs": "\"[\\\"*****\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Team Details By Name failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team Names Not Found.
Error Sample Data
Get Team Details By Name failed.
Status Code: 404.
Message: Team Names Not Found.
Get User Details
Returns the properties and relationships of the specified user(s) in Microsoft Teams.
Reader Note
The parameter Email or User IDs is required to run this command.
Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Email or User IDs
Required
The email(s) or ID(s) of the user(s) to retrieve corresponding details. Email and User IDs can be obtained using the List Users command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get User Details failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Email or User IDs Not Found.
Error Sample Data
Get User Details failed.
Status Code: 403.
Message: Email or User IDs Not Found.
List Channels
Retrieves a list of all existing channels in the specified team. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID or Team Name is a required parameter to run this command.
Run the List Teams command to obtain Team IDs and Team Names. Team IDs can be found in the returned raw data at the path $.value.[*].id; Team Names can be found in the returned raw data at the path $.value.[*].displayName.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team ID or Team Name
Required
The ID of the team that the channel belongs to. Team IDs and Team Names can be obtained using the List Teams command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/***
@odata.count
10
value
{
"id": "*****@*****.***",
"createdDateTime": "2020-12-11T21:55:34.03Z",
"displayName": "*****",
"description": "D3DevCyber",
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/l/*****",
"membershipType": "standard",
"moderationSettings": null
}
{
"id": "*****",
"createdDateTime": "2021-04-07T17:26:19.833Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": false,
"email": "",
"webUrl": "https://teams.microsoft.com/***",
"membershipType": "standard",
"moderationSettings": {
"userNewMessageRestriction": "everyone",
"replyRestriction": "everyone",
"allowNewMessageFromBots": true,
"allowNewMessageFromConnectors": true
}
}
{
"id": "*****",
"createdDateTime": "2021-09-20T23:29:08.731Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": false,
"email": "",
"webUrl": "https://teams.microsoft.com/*****
"membershipType": "standard",
"moderationSettings": {
"userNewMessageRestriction": "everyone",
"replyRestriction": "everyone",
"allowNewMessageFromBots": true,
"allowNewMessageFromConnectors": true
}
}
{
"id": "*****",
"createdDateTime": "2021-04-07T17:08:53.571Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/*****",
"membershipType": "private",
"moderationSettings": null
}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Channels failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team ID or Team Name is not exists.
Error Sample Data
List Channels failed.
Status Code: 404.
Message: Team ID or Team Name is not exists.
List Chat Messages
Retrieves the list of messages in a specified chat. Note: If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.
Reader Note
Chat ID is a required parameterto run this command.
Run the List Chats command to obtain the Chat ID. Chat IDs can be found in the raw data at the path $.value[*].id.
If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of.
The User Principal Name parameter is required if the connection was authenticated using the client_credentials grant type. Otherwise, this parameter will not be used for the search. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.
Input
Input Parameter
Required/Optional
Description
Example
User Principal Name
Optional
The principal name of the user to retrieve chat messages. If using authorization_code authentication, this parameter does not apply.
*****@*****.com
Chat ID
Required
The ID of the chat to retrieve messages. Chat ID can be obtained using the List Chats command.
*****@*****.*****.***
Updated After
Optional
The messages created or updated after this time (in UTC time) will be returned. If this parameter is not defined, messages created or updated 24 hours before the 'Updated Before' time will be returned.
2023-05-29 00:00
Updated Before
Optional
The messages created or updated before this time (in UTC time) will be returned. If this parameter is not defined, the default value is the current time.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ChatIDs": "\"[\\\"*****@*****.*****.***\\\"]\"",
"MessageIDs": "\"[\\\"*****\\\"]\"",
"From": "\"[\\\"*****\\\"]\"",
"Messages": "\"[\\\"Hello World in BOLD 2023-05-29T19:43:05.336Z.\\\"]\"",
"UpdatedTime": "\"[\\\"2023-05-29T19:44:01.352Z\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Chat Messages failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource not found.
Error Sample Data
List Chat Messages failed.
Status Code: 404.
Message: Resource not found.
List Chats
Retrieves the list of chats that the user is part of.Note: If the API connection was authenticated using authorization_code, you can only retrieve chats that the granted user is part of. If using client_credentials authentication, you can retrieve a specified user's chat by defining the User Principal Name parameter.
Reader Note
If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of.
The User Principal Name parameter is required if the connection was authenticated using the client_credentials grant type. Otherwise, this parameter will not be used for the search. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.
Input
Input Parameter
Required/Optional
Description
Example
User Principal Name
Optional
The principal name of the user to retrieve chats. If authorization_code authentication is used, this parameter does not apply.
*****@*****.com
Chat Type
Optional
The type of the chat to be returned. If this parameter is not defined, chats of any type will be returned. The available chat types are one on one, group, meeting and unknown.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Chats failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
List Chats failed.
Status Code: 400.
Message: unauthorized_client.
List Joined Teams
Retrieves a list of the specified user(s)’ joined teams in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Email or User IDs is a required parameterto run this command.
Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Email or User IDs
Required
The email(s) or ID(s) of the user(s) to retrieve the list of joined teams. Email or User IDs can be obtained using the List Users command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Joined Teams failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Email or User IDs Not Found.
Error Sample Data
List Joined Teams failed.
Status Code: 404.
Message: Email or User IDs Not Found.
List Scheduling Groups
Retrieves the list of scheduling groups by the specified team within a schedule.
Reader Note
Team ID is a required parameter to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the three bar menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to retrieve scheduling groups for. Team IDs can be obtained using the List Teams command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Scheduling Groups failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the team was not found, or you may not have access to it.
Error Sample Data
List Scheduling Groups failed.
Status Code: 404.
Message: Sorry, the team was not found, or you may not have access to it.
List Shifts
Retrieves the list of shift instances in a schedule.
Reader Note
When using the Client Credentials authentication type, the Act As Admin Account parameter is required to run this command.
If the input Act As Admin Account parameter is not an admin account, then only shared shifts can be listed. If you are using an admin account or the Authorization Code authentication type, both shared and draft shifts will be returned.
You can distinguish whether shifts are draft or shared versions within Microsoft Teams. Shifts with the star symbol are not shared and won't be listed here.
When creating shifts using the Create Shift command, the Shift Version parameter can be used to define the shared or draft version of the shift.
Team ID is a required parameter to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the three bar menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to retrieve scheduled shifts for. Team IDs can be obtained using the List Teams command.
*****
Shared Shift Start Time
Optional
The start time of the shifts to retrieve in UTC time.
2023-03-11 00:00
Shared Shift End Time
Optional
The end time of the shifts to retrieve in UTC time.
2023-03-18 00:00
Act As Admin Account
Optional
The email address of the admin account to use to get the draft version of the shared shift. Note: when using the Client Credentials authentication type, this parameter is required.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Shifts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the team was not found, or you may not have access to it.
Error Sample Data
List Shifts failed.
Status Code: 404.
Message: Sorry, the team was not found, or you may not have access to it.
List Team Members
Retrieves a list of members of the specified team.
Reader Note
Team ID is a required parameter to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the three bar menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to retrieve members from. Team IDs can be obtained using the List Teams command.
*****
User Name Or Email
Optional
The user display name or email to filter team members by. If this parameter is not defined, all members of the specified team will be returned.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Team Members failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: teamId needs to be a valid GUID.
Error Sample Data
List Team Members failed.
Status Code: 400.
Message: teamId needs to be a valid GUID.
List Teams
Retrieves a list of all existing teams in Microsoft Teams.
Reader Note
When inputting Team Names, the full name must be entered otherwise success with no result will be returned.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
No Sample Data
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Teams failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
List Teams failed.
Status Code: 400.
Message: unauthorized_client.
List Teams (Deprecated)
Retrieves a list of all existing teams in Microsoft Teams.
Reader Note
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Teams failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
List Teams failed.
Status Code: 400.
Message: unauthorized_client.
List Team Tags
Retrieves a list of all existing Tag Groups in the specified team.
Reader Note
Team ID or Team Name is a required parameterto run this command.
Run the List Teams command to obtain Team ID or Team Name. Team IDs can be found at the path $.value[*].id. Team Name can be found at the path $.value[*].displayName.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team ID or Team Name
Required
The ID of the team that the channel belongs to. Team IDs and Team Names can be obtained using the List Teams command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/***
@odata.count
10
value
{
"id": "*****@*****.***",
"createdDateTime": "2020-12-11T21:55:34.03Z",
"displayName": "*****",
"description": "D3DevCyber",
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/l/*****",
"membershipType": "standard",
"moderationSettings": null
}
{
"id": "*****",
"createdDateTime": "2021-04-07T17:26:19.833Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": false,
"email": "",
"webUrl": "https://teams.microsoft.com/***",
"membershipType": "standard",
"moderationSettings": {
"userNewMessageRestriction": "everyone",
"replyRestriction": "everyone",
"allowNewMessageFromBots": true,
"allowNewMessageFromConnectors": true
}
}
{
"id": "*****",
"createdDateTime": "2021-09-20T23:29:08.731Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": false,
"email": "",
"webUrl": "https://teams.microsoft.com/*****
"membershipType": "standard",
"moderationSettings": {
"userNewMessageRestriction": "everyone",
"replyRestriction": "everyone",
"allowNewMessageFromBots": true,
"allowNewMessageFromConnectors": true
}
}
{
"id": "*****",
"createdDateTime": "2021-04-07T17:08:53.571Z",
"displayName": "*****",
"description": null,
"isFavoriteByDefault": null,
"email": "",
"webUrl": "https://teams.microsoft.com/*****",
"membershipType": "private",
"moderationSettings": null
}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Team Tags failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: does not exist.
Error Sample Data
List Team Tags failed.
Status Code: 404.
Message: does not exist.
List Users
Retrieves a list of all users in Microsoft Teams.
Reader Note
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Users failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
List Users failed.
Status Code: 400.
Message: unauthorized_client.
Replace Shift
Replaces an existing shift. Note: only accounts with admin permissions can replace a shift.
Reader Note
Team ID and User Email are required parameters to run this command.
Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.
To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:
a. Navigating to the Shifts tab
b. Clicking the three bar menu button at the topand either selecting the desired schedule to be replaced or clicking + New schedule
c. Viewing the teams that appear
The input User Email must match the input group. Run the List Teams first to obtain the desired Team ID, then use that Team ID to run the List Team Members command. User Email can be obtained from the returned raw data at the path $.value[*].email. Use these values to run this command. Please note that some team members may not have a valid email to input for this command (the returned raw data at the path $.value[*].email for the user is "null"). Those users cannot be used to replace shifts.
Scheduling Group ID is an optional parameter to run this command.
Run the List Scheduling Groups command to obtain Scheduling Group IDs. Scheduling Group IDs can be found from the returned raw data at the path $[*].value.id.
The Team ID and Scheduling Group ID must match if defining the Scheduling Group ID parameter. You can run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Scheduling Groups command to obtain the desired Scheduling Group ID. Use both values to run this command.
The Act As Admin Account parameter is required when using the Client Credentials authentication type.
Ensure to schedule adequate time when running this command in order to avoid overlapping shifts.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team to replace a scheduled shift for. Team IDs can be obtained using the List Teams command.
*****
Shift ID
Required
The ID of the shift to replace. Shift IDs can be obtained using the List Shifts command.
SHFT_*****
User Email
Required
The email address of the user who takes the shift. The user must be a member of the specified team. User Email can be obtained using the List Team Members command.
*****@*****.*****.com
Act As Admin Account
Optional
The email address of the admin account to use to replace the shift. Note: when using the Client Credentials authentication type, this parameter is required to run this command. The account used must have admin permissions in order to replace a shift.
*****@*****.*****.com
Scheduling Group ID
Optional
The ID of the Scheduling Group for which the shift will be replaced. Scheduling Group IDs can be obtained using the List Scheduling Groups command. If this parameter is not defined, the shift will be replaced to Other.
TAG_*****
Shift Version
Required
The version of the shift to be created. The available versions are Shared Shift or Draft Shift.
Shared Shift
Shift Name
Required
The name for the shift to replace the original shift name. Note: the shift name cannot be longer than 30 characters.
*****
Notes
Optional
The notes to be added to the shift, or to replace if previous notes existed.
Please do inventory as part of your shift.
Shift Start Time
Required
The replacement shift start date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.
2023-03-19 15:00
Shift End Time
Required
The replacement shift end date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.
2023-03-20 00:00
Shift Activities
Optional
Daily activities or any additional breaks to be tracked with this shift. Note: in each activity object, displayName and startDateTime/endDateTime are required fields. The remaining fields are optional. StartDateTime and endDateTime are in UTC time and must be within the bounds of the shift.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
No Sample Data
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
{'displayName': '*****', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'blue', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'blue'}]}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Replace Shift failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Sorry, the position was not found and may have been deleted.
Error Sample Data
Replace Shift failed.
Status Code: 400.
Message: Sorry, the position was not found and may have been deleted.
Send Chat Message
Sends a new message to the specified user(s). Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
File ID and File Source
It is not recommended to use the Test Command feature with the Submit Sample Files command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:
In D3 SOAR, navigate to Configuration on the top bar menu.
Click Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Select the Test tab, then input the required information for the parameters. Click Test Command.
A D3 File ID will appear in the output data after the file has been successfully created.
(Note: The D3 File Source of the created file will be Playbook File)
Reader Note
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
Input
Input Parameter
Required/Optional
Description
Example
Caller Principle Name
Required
The principle name of the chat caller. Please note, caller principal name must be the user who granted API access.
*****@*****.*****.com
Target Users
Required
The principal name(s) of the target user(s) to whom the chat message will be sent.
[
"*****@*****.com"
]
Send HTML Message
Optional
The option to set the message type to HTML. The default option is False.
True
Message
Optional
The contents of the message to send.
<p><b>Hello World in BOLD.</b></p>
File IDs
Optional
The file IDs to be sent to chat as attachment according to file source. Please note, attachment file sizes cannot exceed 4MB.
[
10097
]
File Source
Optional
The file source of the file to send. The options for file sources are:
Incident Attachment File: Manually uploaded file from Incident
Playbook File: Output from another Task
Artifact File: Ingested Artifact in an Event
If not specified, the default file source is Playbook File.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Send Chat Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The caller must be one of the members specified in request body.
Error Sample Data
Send Chat Message failed.
Status Code: 400.
Message: The caller must be one of the members specified in request body.
Send Message
Sends a message in the specified channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID and Channel ID or Channel Name are required parametersto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
***************************************
Channel ID or Channel Name
Required
The ID or name of the channel to send the message to. Channel IDs and Channel Names can be obtained running the List Channels command with the same input Team ID.
*****@*****.*****.com
Send HTML Message
Optional
The option to set the message type to HTML. The default option is False.
This list of content objects for mentioned users, chnels, or teams. This parameter is only applicable when the message type is HTML and the "at" tag with the corresponding "id" is included in the message. Each mentioned content can be assigned to either a user, a channel or a team.
User IDs can be obtained using the List Users command; Channel IDs can be obtained using the List Channels command; Team IDs can be obtained using the List Teams command. Please reference the sample data when structuring your request.
The "id" in each mentioned content must match the "id" of the "at" tag in the message. The "mentionText" and "mentioned.displayName" fields are optional. For more details, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation and refer to Examples 2, 7, or 8.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"MessageID": "\"*****\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/*****
id
*****
replyToId
etag
*****
messageType
message
createdDateTime
9/28/2021 9:33:10 PM
lastModifiedDateTime
9/28/2021 9:33:10 PM
lastEditedDateTime
deletedDateTime
subject
summary
chatId
importance
normal
locale
en-us
webUrl
https://teams.microsoft.com/*****
policyViolation
eventDetail
from
{
"application": null,
"device": null,
"user": {
"id": "*****",
"displayName": "*****",
"userIdentityType": "aadUser"
}
}
body
{
"contentType": "html",
"content": "
\\n
Message\\n\\n
\\n\\n\\n
\\n
"
}
channelIdentity
{
"teamId": "*****",
"channelId": "*****"
}
attachments
mentions
reactions
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Send Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team ID Not Found.
Error Sample Data
Send Message failed.
Status Code: 404.
Message: Team ID Not Found.
Send Message V2
Sends a message in the specified channel in Microsoft Teams with defined cards or attachments. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.
Reader Note
Team ID and Channel ID or Channel Name are required parametersto run this command.
Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.
Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.
The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.
This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams section for instructions on authenticating the connection using the authorization_code grant type.
This command requires the beta version of the Microsoft Teams API. Only the beta version will appear in the connection dropdown list. For connection configuration instructions, please refer to step 3h of Configuring D3 SOAR to Work with Microsoft Teams.
Input
Input Parameter
Required/Optional
Description
Example
Team ID
Required
The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.
*****
Channel ID or Channel Name
Required
The ID or name of the channel to send the message. Channel IDs and Channel names can be obtained running the List Channels command with the same input Team ID.
*****
Text Message
Optional
The contents of the text message to send. This parameter and the HTML Message parameter cannot be both empty. This parameter will be omitted when the HTML Message parameter has a value.
A simple text message.
HTML Message
Required
The contents of the HTML message to send. Please note that either this parameter or the Text Message parameter must be provided and cannot be empty.
When creating a message with mention contents, cards, or attachments, the HTML message is required. If the task requires a response, include the placeholder <<UserActionRequiredURL>>. Please reference the sample data for more details.
<div>Hello User <at id="***">*****</at> Hello Channel <at id="***"> Channel testing</at> Hello Team <at id="***">*****</at>
</div>
</div>
Mention Contents
Optional
This list of content objects for mentioned users, chnels, or teams. This parameter is only applicable when the message type is HTML and the "at" tag with the corresponding "id" is included in the message. Each mentioned content can be assigned to either a user, a channel or a team.
User IDs can be obtained using the List Users command; Channel IDs can be obtained using the List Channels command; Team IDs can be obtained using the List Teams command. Please reference the sample data when structuring your request.
The "id" in each mentioned content must match the "id" of the "at" tag in the message. The "mentionText" and "mentioned.displayName" fields are optional. For more details, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation and refer to Examples 2, 7, or 8.
[
{
"id": ***,
"mentionText": "*****",
"mentioned": {
"user": {
"displayName": "1Xuan Lu",
"id": "*****",
"userIdentityType": "aadUser"
}
}
},
{
"id": ***,
"mentionText": " Channel testing",
"mentioned": {
"conversation": {
"id": "*****",
"displayName": "2General",
"conversationIdentityType": "channel"
}
}
},
{
"id": ***,
"mentionText": "*****",
"mentioned": {
"conversation": {
"id": "*****",
"displayName": "3GraphTesting",
"conversationIdentityType": "team"
}
}
}
]
Cards And Attachments
Optional
The list of card or attachment objects to attach in the message. For more information, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation, and refer to example 3, 6 or 9. If the task requires a response, include the placeholder <<UserActionRequiredURL>>. Please reference the sample data for more details.
"text": "Here is some body text. <br>\r\n <b>A hyperlink for pending task response</b>: <a href=\"<<UserActionRequiredURL>>\">Check Request Approval Page</a>. <br>\r\n <b>A hyperlink for regular page</b>: <a href=\"https://d3security.com/\">Check Regular Link</a> <br>\r\nAnd below that is some buttons:",
"content": "{\r\n \"title\": \"This is an example of posting a card\",\r\n \"subtitle\": \"<h3>This is the subtitle</h3>\",\r\n \"text\": \"Here is some body text. <br>\\r\\n <b>A hyperlink for pending task response</b>: <a href=\\\"<<UserActionRequiredURL>>\\\">Check Request Approval Page</a>. <br>\\r\\n <b>A hyperlink for regular page</b>: <a href=\\\"https://d3security.com/\\\">Check Regular Link</a> <br>\\r\\nAnd below that is some buttons:\",\r\n \"buttons\": [\r\n {\r\n \"type\": \"messageBack\",\r\n \"title\": \"Login to FakeBot\",\r\n \"text\": \"login\",\r\n \"displayText\": \"login\",\r\n \"value\": \"login\"\r\n }\r\n ]\r\n}",
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"MessageID": "\"*****\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
@odata.context
https://graph.microsoft.com/*****
id
*****
replyToId
etag
*****
messageType
message
createdDateTime
9/28/2021 9:33:10 PM
lastModifiedDateTime
9/28/2021 9:33:10 PM
lastEditedDateTime
deletedDateTime
subject
summary
chatId
importance
normal
locale
en-us
webUrl
https://teams.microsoft.com/*****
policyViolation
eventDetail
from
{
"application": null,
"device": null,
"user": {
"id": "*****",
"displayName": "*****",
"userIdentityType": "aadUser"
}
}
body
{
"contentType": "html",
"content": "
\\n
Message\\n\\n
\\n\\n\\n
\\n
"
}
channelIdentity
{
"teamId": "*****",
"channelId": "*****"
}
attachments
mentions
reactions
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Send Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Team ID Not Found.
Error Sample Data
Send Message failed.
Status Code: 404.
Message: Team ID Not Found.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Error Handling
If the Return Data is failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: unauthorized_client.
Error Sample Data
Test Connection failed. Failed to check the connector.
Status Code: 400.
Message: unauthorized_client.
FAQ
Question 1
Why am I seeing the error message “['Get Message Reply Failed.Messages:Status Code: 403, Error code: Forbidden, Error message: Invoked API requires Protected API access in application-only context when not using Resource Specific Consent. Visit https://docs.microsoft.com/en-us/graph/teams-protected-apis for more details. ']” after running the Get Message Reply command?
Answer: You are using the client-credential connection without the required access. You must request access before using this command by submitting a request form. For details, see Protected APIs in Microsoft Teams.
Question 2
Why can I not find my built connections when testing a command?
Answer:Please check the API Version of your connection, and make sure you are entering the correct version. It is recommended to create two connections (one with v1.0, another with beta) with the same credentials and use the appropriate connection depending on your use case.
Question 3
Why am I seeing the error message “Operation not supported for this Channel.” when running the Add Members to Private Channel command?
Answer: Members can only be added to channels that are private or shared. Run the List Channel command and in the returned raw data, the path $.[*].value.[*].membershiptype will indicate whether a channel is private or shared.
Question 4
I am unable to grant the app authorization access after clicking Get Authorization when building a connection using the authorization_code grant type.
Answer: You must be logged into an admin account to grant approval. If you use a non-admin account, you will only be able to send a request for approval to your admin.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
