Skip to main content
Skip table of contents

Microsoft Teams

LAST UPDATED: NOV 1, 2024

Overview

Microsoft Teams is a business communication platform with features such as messaging, video conferencing, screen sharing and file sharing.

D3 SOAR is providing REST operations to function with Microsoft Teams. For example, you can create channels and send messages from the D3 SOAR system to Microsoft Teams.

Microsoft Teams is available for use in:

D3 SOAR

V14.0.28.0+

Category

Email & Messaging

Deployment Options

Option II, Option IV

Known Limitations

Command

Limitation

Add Members to Private Channel

This request might have replication delays for users that were recently created, updated, or deleted.

Add Members to Team

This request might have replication delays for users that were recently created, updated, or deleted.

Using application permissions to add guest members to a team is not supported. See the Add member to team - Microsoft Graph v1.0 versionAPI documentation for more information.

Create Channel

While creating a channel, you can only add one member per shared channel; however, you can add up to 200 members per private channel.

https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0&tabs=http

In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported using Teamwork.Migrate.All and/or migration APIs.

See the Create channel - Microsoft Graph v1.0 API documentation for more information.

Create Team

The Teamwork.Migrate.All permission is only supported for migration. In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported. See the Create team - Microsoft Graph v1.0 API documentation for more information.

List Channel Members

This method supports federation. Only a user who is a member of the shared channel can retrieve the channel member list.

Get User Details

This request might have replication delays for users that were recently created, updated, or deleted.

List Joined Teams

This API doesn't return the host team of the shared channel that the user is a direct member of. Use the List associated teams API, to retrieve the host teams of the shared channels that the user has access to.

List Teams

This request might have replication delays for groups that were recently created, updated, or deleted.

List Users

This request might have replication delays for users that were recently created, updated, or deleted.

Send Message

We don't recommend that you use this API for data migration. It does not have the throughput necessary for a typical migration.

It is a violation of the terms of use to use Microsoft Teams as a log file. Only send messages that people will read.

This command is designed to only send messages to channels, you cannot send messages to chat.

Connection

To connect to Microsoft Teams from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Default

Tenant ID

The tenant ID to authenticate the API connection.

hN2-***-***-***-***

Grant Type

The grant type to authenticate the API connection.

client_credentials

Grant Type: client_credentials

Client ID

The client ID to authenticate the API connection.

zJJ************Xev

Client Secret

The client secret to authenticate the API connection.

sSl************tLs

API Version

The version of the API to use for the connection.

v2.1

Grant Type: authorization_code

Client ID

The client ID to authenticate the API connection.

aPy***********iWv

Client Secret

The client secret to authenticate the API connection.

EiQ************lv4

Authorization Code

The authorization code for OAuth2.0 authentication. Click the "Get Authorization" button on the Connection page to automatically generate an authorization code.

iIm************gPv

Callback URL

The callback URL is used for OAuth2.0 with the grant type of authorization code. Add this URL to your app’s Redirect URIs. In the Azure portal, navigate to Microsoft Entra ID Protection > App Registrations > Your App > Authentication.

https://***/***Callback.aspx

Refresh Token

The refresh token for authentication with the grant type of authorization code. Click the "Get Refresh Token" button on the Connection page to automatically generate a refresh token.

This parameter is read-only and Auto-generated.

Mk4*************************Sp0

API Version

The version of the API to use for the connection.

v2.1

Permission Requirements

Each endpoint in the Microsoft Teams API requires a certain permission scope. The following are required scopes for the commands in this integration:

READER NOTE

  • Delegated permissions are the permissions required if the connection was authenticated using the authorization_code grant type.

  • Application permissions are the permissions required if the connection was authenticated using the client_credentials grant type.

Command

Delegated Permissions

Application Permissions

Add Members to Private Channel

User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

ChannelMember.ReadWrite.All

Not Supported

Add Members to Team

User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

TeamMember.ReadWrite.All

Not Supported

Create Channel

Channel.Create, Group.ReadWrite.All**, Directory.ReadWrite.All**

Not Supported

Create Or Replace Schedule

Schedule.Read.All, Group.Read.All, Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

Create Scheduling Group

Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.ReadWrite.All

Create Shift

Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.ReadWrite.All

Create Team

Team.Create, Group.ReadWrite.All**, Directory.ReadWrite.All**

Not Supported

Delete Channels

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

Not Supported

Delete Shifts

Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

Delete Teams

Group.ReadWrite.All

Group.ReadWrite.All

List Channel Members

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All,

ChannelMember.Read.All, ChannelMember.ReadWrite.All

Not Supported

Get Message Reply

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**, ChannelMessage.Read.All

Not Supported

Get Shifts

Schedule.Read.All, Group.Read.All, Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

Get Team Details By Name

Team.ReadBasic.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

Not Supported

Get User Details

User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

List Channels

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

Not Supported

List Chat Messages

Chat.ReadBasic, Chat.Read, Chat.ReadWrite

Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All

List Chats

Chat.ReadBasic, Chat.Read, Chat.ReadWrite

Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All

List Joined Teams

Team.ReadBasic.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, User.Read.All, User.ReadWrite.All, Directory.Read.All**, Directory.ReadWrite.All**

Not Supported

List Scheduling Groups

Schedule.Read.All, Group.Read.All, Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

List Shifts

Schedule.Read.All, Group.Read.All,Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

List Team Members

TeamMember.Read.All, TeamMember.ReadWrite.All

TeamMember.Read.Group*, TeamMember.Read.All, TeamMember.ReadWrite.All

List Teams

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

List Teams (Deprecated)

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

List Team Tags

TeamworkTag.Read, TeamworkTag.ReadWrite

TeamworkTag.Read.All, TeamworkTag.ReadWrite.All

List Users

User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Replace Shift

Schedule.Read.All, Group.Read.All, Schedule.ReadWrite.All, Group.ReadWrite.All

Schedule.Read.All, Schedule.ReadWrite.All

Reply Channel Message

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

ChannelMessage.Send

ChannelSettings.Read.Group*, ChannelSettings.ReadWrite.Group*, Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

Teamwork.Migrate.All

Send Chat Message

Chat.ReadWrite

Files.ReadWrite, Files.ReadWrite.All (for upload Attachments)

N/A

Send Message

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

ChatMessage.Send, Chat.ReadWrite

Not Supported

Send Message V2

Channel.ReadBasic.All, ChannelSettings.Read.All, ChannelSettings.ReadWrite.All, Group.Read.All**, Group.ReadWrite.All**, Directory.Read.All**, Directory.ReadWrite.All**

ChatMessage.Send, Chat.ReadWrite

Not Supported

Test Connection

N/A

N/A

  • Permissions marked with * use resource-specific consent.

  • Permissions marked with ** are supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

See Microsoft’s API documentation for more information.

Configuring Microsoft Teams to Work with D3 SOAR

  1. Log in to the Azure Portal (https://portal.azure.com/).

  2. Navigate to the top search bar, then search and select App registrations.

  3. If you already have created apps, you can use one of them. Skip to step 5 to obtain the Client ID & Tenant ID. If you do not have an app, click + New registration to create one.

  4. Register the application.

    1. Enter an application Name.

    2. For Supported account types, select Accounts in this organizational directory only (<Your Directory Name> only - Single tenant).

    3. Click Register.

  5. In the App Overview tab, copy and save the Application(client) ID and Directory(tenant) ID. They will be required to build the integration connection in D3 SOAR. Navigate to Client credentials, then click Add a certificate or secret.

  6. Click + New Client Secret. Enter a Description for the client secret, and select a client secret expiry period using the Expires dropdown menu. Click Add. Note: The client ID will not be able to access the API resources after the client secret expires. You must renew the client secret to keep the client ID active.

  7. Copy and save the Secret Value. It will be required to build the integration connection in D3 SOAR connection. Note: The created Client Secret can only be viewed once. Store it in a secure location before leaving the page.

  8. Configure the Redirect URIs. Click Authentication on the left navigation menu, then Add URI. Input the D3 SOAR redirect URI (see step 6 of Configuring D3 SOAR to Work with Microsoft Teams). Click Save.

  9. Configure the API permissions. Click API permissions on the left navigation menu, then + Add a permission. Select Microsoft Graph, then search and select the required Delegated permissions and Application permissions. After selecting the required permissions, click Add permissions. See Permission Requirements for the required permissions for each command in this integration.

READER NOTE

  • Delegated permissions are the permissions required if the connection was authenticated using the authorization_code grant type.

  • Application permissions are the permissions required if the connection was authenticated using the client_credentials grant type.

Some permissions may need to be granted admin consent for your directory (d3uat in the sample screenshot) to use. Ensure Grant admin consent for <Your Directory> is checked.

You may see Not granted for <Your Directory> in the status column. Those are the ungranted permissions you want to use. After successfully granting permissions, a green checkmark will appear under the permission status column for the corresponding permissions. If your login account does not have admin privileges, ask your admin to grant consent.

Configuring D3 SOAR to Work with Microsoft Teams

  1. Log in to D3 SOAR.

  2. Find the Microsoft Teams integration.

    screenshot_1.png
    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Microsoft Teams in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Microsoft Teams.

    screenshot_2.png
    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

      tenant.png
    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      Grant Type: Client Credentials

      screenshot_3.png

      1. Input the Tenant ID. See step 5 of Configuring Microsoft Teams to Work with D3 SOAR.

      2. Select client_credentials.
      3. Input the Client ID. See step 5 of Configuring Microsoft Teams to Work with D3 SOAR.
      4. Input the Client Secret. See step 6 of Configuring Microsoft Teams to Work with D3 SOAR.
      5. Input the API Version. The default value is v2.1. Note: Some commands require the beta version of the API. Input beta to use the beta version of the API.

      Grant Type: Authorization Code

      screenshot_3 (4).png

      1. Input the Tenant ID. See step 5 of Configuring Microsoft Teams to Work with D3 SOAR.

      2. Select authorization_code.

      3. Input the Client ID. See step 5 of Configuring Microsoft Teams to Work with D3 SOAR.

      4. Input the Client Secret. See step 6 of Configuring Microsoft Teams to Work with D3 SOAR.

      5. Click Get Authorization. You will be redirected to Azure and asked to log in with your credentials. Note: You must be logged in to an admin account to grant approval. If you use a non-admin account, you will only be able to send a request for approval to your admin.

      6. Click Get Refresh Token. The refresh token will be automatically generated and filled into the field. No further action is required.

      7. Copy and paste the Callback URL into the created app’s authentication page on Azure. See step 8 of Configuring Microsoft Teams to Work with D3 SOAR.

      8. Input the API Version. The default value is v2.1. Note: Some commands require the beta version of the API. Note: Some commands require the beta version of the API. Input beta to use the beta version of the API.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    screenshot_4.png
    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Microsoft Teams includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Microsoft Teams API, please refer to the Microsoft Teams API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Microsoft Teams to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

    att_7_for_349995902.png
  2. Choose your desired date and time format.

    att_3_for_349995902.png

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add Members to Private Channel

Adds members to a specified private channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Email or User IDs, Team ID and Channel ID or Channel Name are required parameters to run this command.

    • Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id. In order to add a user to a private channel, the user must already be in the specified team. You may check if the user is in the team by using the List Team Members command. If the user is not in the desired team, you can add the user to the team by running the Add Members to Team command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel IDs can be found from the returned raw data at the path $.value[*].id. Channel Names can be found from the returned raw data at the path $.value[*].displayName.

      • You can determine if a channel is private with the List Channels command. In the returned raw data, check the path $.value[*].membershipType for the channel you want to check. If the value is "private" then it can be used to run this command.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API Version. Other API Versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.

  • Ensure the correct user role is provided for the Role parameter when running this command. If the member has already been added, modifying the role will result in a successful response without any changes made.

Input

Input Parameter

Required/Optional

Description

Example

Email or User IDs

Required

The email(s) or user ID(s) of the member to add to the private channel. Email and User IDs can be obtained using the List Users command.

[

"*****",

“*****@*****.*****.com”

]

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

***************************************

Channel ID or Channel Name

Required

The ID or name of the private channel to add the specified members. Channel IDs and Channel Names can be obtained using the List Channels command.

*****@*****.*****.com

Role

Required

The assigned role (i.e. Owner or Member) of the specified members.

Owner

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.type": "#microsoft.graph.aadUserConversationMember",
        "id": "*****",
        "roles": [
            "owner"
        ],
        "displayName": "*****",
        "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
        "userId": "*****",
        "email": null,
        "tenantId": "*****"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.type": "#microsoft.graph.aadUserConversationMember",
        "id": "*****",
        "roles": [
            "owner"
        ],
        "displayName": "*****",
        "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
        "userId": "*****",
        "email": null,
        "tenantId": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

https://graph.microsoft.com/*****

@ODATA.TYPE

#microsoft.graph.aadUserConversationMember

ID

*****

ROLES

[

"owner"

]

DISPLAYNAME

1

VISIBLEHISTORYSTARTDATETIME

1/1/0001 12:00:00 AM

USERID

*****

EMAIL

TENANTID

*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Members to Private Channel failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Operation not supported for this Channel.

Error Sample Data

Add Members to Private Channel failed.

Status Code: 400

Message: Operation not supported for this Channel.

Add Members to Team

Adds members to a specified team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Email or User IDs and Team ID are required parameters to run this command.

    • Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Email or User IDs

Required

The email(s) or user ID(s) of the member to add to the team. Email and User IDs can be obtained using the List Users command.

[

"*****",

“*****@*****.*****.com”

]

Team ID

Required

The ID of the team that the channel belongs to. Team IDs can be obtained using the List Teams command.

***************************************

Role

Required

The assigned role (i.e. Owner or Member) of the specified members.

Owner

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.type": "#microsoft.graph.aadUserConversationMember",
        "id": "*****
        "roles": [
            "owner"
        ],
        "displayName": "*****",
        "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
        "userId": "*****",
        "email": null,
        "tenantId": "*****"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.type": "#microsoft.graph.aadUserConversationMember",
        "id": "*****
        "roles": [
            "owner"
        ],
        "displayName": "*****",
        "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
        "userId": "*****",
        "email": null,
        "tenantId": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

https://graph.microsoft.com/*****

@ODATA.TYPE

#microsoft.graph.aadUserConversationMember

ID

*****

ROLES

[

"owner"

]

DISPLAYNAME

1

VISIBLEHISTORYSTARTDATETIME

1/1/0001 12:00:00 AM

USERID

*****

EMAIL

TENANTID

*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Members to Team failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User ID Not Found.

Error Sample Data

Add Members to Team failed.

Status Code: 404.

Message: User ID Not Found.

Create Channel

Creates a channel in the specified team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID is a required parameter to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • Preexisting channel names cannot be used when creating a new channel, including channels that were deleted. Inputting a channel name that was used before will return an error.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to create the channel in. Team IDs can be obtained using the List Teams command.

***************************************

Channel Name

Required

The name of the channel.

Sample Private Channel

Channel Description

Optional

The description for the channel.

Description for Sample Private Channel

Channel Type

Optional

The channel type (i.e., Standard or Private) of the channel. The default value is Standard.

Private

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***
    "id": "*****",
    "createdDateTime": "2021-09-28T21:18:57.754817Z",
    "displayName": "My  Private Channel 20",
    "description": "create  My  Private Channel no description 20",
    "isFavoriteByDefault": null,
    "email": "",
    "webUrl": "https://teams.microsoft.com/*****",
    "membershipType": "private"
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***
    "id": "*****",
    "createdDateTime": "2021-09-28T21:18:57.754817Z",
    "displayName": "My  Private Channel 20",
    "description": "create  My  Private Channel no description 20",
    "isFavoriteByDefault": null,
    "email": "",
    "webUrl": "https://teams.microsoft.com/*****",
    "membershipType": "private"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ChannelID": "\"*****\"",
    "ChannelName": "\"My  Private Channel 20\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

id

*****

createdDateTime

9/28/2021 9:18:57 PM

displayName

My Private Channel 20

description

create My Private Channel no description 20

isFavoriteByDefault

email

webUrl

https://teams.microsoft.com/*****

membershipType

private

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Channel failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Channel name already existed, please use other name.

Error Sample Data

Create Channel failed.

Status Code: 400.

Message: Channel name already existed, please use other name.

Create Or Replace Schedule

Creates or replaces a schedule for the specified team.

READER NOTE

  • Team ID is a required parameter to run this command.

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab

b. Clicking the hamburger menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

  • The Act As Admin Account parameter is required when using the Client Credentials authentication type.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to create or replace the schedule for. Team IDs can be obtained using the List Teams command.

*****

Time Zone

Optional

The time zone database name used in the schedule. If this parameter is not defined, the default time zone is UTC time.

America/Vancouver

Enabled

Optional

The option to enable the team schedule. If this parameter is not defined, the default value is Disable.

True

Act As Admin Account

Optional

The email address of the admin account to use to create or replace the team schedule. Note: this parameter is required when using the Client Credentials authentication type. The specified account must have admin permissions in order to run this command.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.etag": "\"*****\"",
    "id": "*****",
    "enabled": true,
    "timeZone": "America/Vancouver",
    "provisionStatus": "Completed",
    "provisionStatusCode": null,
    "workforceIntegrationIds": [],
    "timeClockEnabled": false,
    "openShiftsEnabled": true,
    "swapShiftsRequestsEnabled": true,
    "offerShiftRequestsEnabled": true,
    "timeOffRequestsEnabled": true
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TeamID": "\"*****\"",
    "Enabled": "\"true\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.etag

"*****"

id

*****

enabled

True

timeZone

America/Vancouver

provisionStatus

Completed

provisionStatusCode

None

workforceIntegrationIds

[]

timeClockEnabled

False

openShiftsEnabled

True

swapShiftsRequestsEnabled

True

offerShiftRequestsEnabled

True

timeOffRequestsEnabled

True

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Or Replace Schedule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the team was not found, or you may not have access to it.

Error Sample Data

Create Or Replace Schedule failed.

Status Code: 404.

Message: Sorry, the team was not found, or you may not have access to it.

Create Scheduling Group

Creates a new scheduling group.

READER NOTE

  • Team ID is a required parameter to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab

b. Clicking the hamburger menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

  • The Act As Admin Account parameter is required when using the Client Credentials authentication type.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team for which to create a scheduling group. Team IDs can be obtained using the List Teams command.

*****

Scheduling Group Name

Required

The name of the scheduling group to be created.

Night Group 2023

User Emails

Optional

The email address(es) of the user(s) to be added to the scheduling group.

[ "*****@*****.*****.com"

]

Act As Admin Account

Optional

The email address of the admin account to use to create the scheduling group. Note: this parameter is required when using the Client Credentials authentication type. The specified account must have admin permissions in order to run this command.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.etag": "\"*****\"",
    "id": "TAG_*****",
    "createdDateTime": "2023-03-16T20:19:12.099Z",
    "lastModifiedDateTime": "2023-03-16T20:19:12.099Z",
    "displayName": "Night Group 2023",
    "isActive": true,
    "userIds": [
        "*****"
    ],
    "lastModifiedBy": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupID": "\"TAG_*****\"",
    "GroupName": "\"Night Group 2023\"",
    "IsActive": "\"true\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.etag

"*****"

id

TAG_*****

createdDateTime

2023-03-16T20:19:12.099Z

lastModifiedDateTime

2023-03-16T20:19:12.099Z

displayName

Night Group 2023

isActive

True

userIds

  • *****

lastModifiedBy

{'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Scheduling Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the team was not found, or you may not have access to it.

Error Sample Data

Create Scheduling Group failed.

Status Code: 404.

Message: Sorry, the team was not found, or you may not have access to it.

Create Shift

Creates a new shift instance in a schedule. Note: only accounts with admin permissions can create a shift.

READER NOTE

  • Team ID and User Email are required parameters to run this command.

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab

b. Clicking the hamburger menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

    • The input User Email must be a member of your input team. To check if the user is in the team, run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Team Members command in order to find the desired user. User Email can be obtained from the returned raw data at the path $.value[*].email. Use both values to run this command. If the desired user is not in the team, use the Add Members to Team command to add the desired user to the team first. Please note that some team members may not have a valid email to input for this command (the returned raw data at the path $.value[*].email for the user is "null"). Those users cannot be used to create shifts.

  • Scheduling Group ID is an optional parameter to run this command.

    • Run the List Scheduling Groups command to obtain Scheduling Group IDs. Scheduling Group IDs can be found from the returned raw data at the path $[*].value.id.

    • The Team ID and Scheduling Group ID must match if defining the Scheduling Group ID parameter. You can run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Scheduling Groups command to obtain the desired Scheduling Group ID. Use both values to run this command.

  • The Act As Admin Account parameter is required when using the Client Credentials authentication type.

  • Ensure to schedule adequate time when running this command in order to avoid overlapping shifts.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team for which to create a shift. Team IDs can be obtained using the List Teams command.

*****

User Email

Required

The email address of the user who takes the shift. The user must be a member of the specified team. User Email can be obtained using the List Team Members command.

*****@*****.*****.com

Act As Admin Account

Optional

The email address of the admin account to use to create the shift. Note: this parameter is required when using the Client Credentials authentication type.

*****@*****.*****.com

Scheduling Group ID

Optional

The ID of the scheduling group to which the shift will be added. The Scheduling Group ID can be obtained using the List Scheduling Groups command. If this parameter is not defined, the shift will be added to Other.

TAG_*****

Shift Version

Required

The version of the shift to be created. The available versions are Shared Shift or Draft Shift.

Shared Shift

Shift Name

Required

The name for the shift. Note: the shift name cannot be longer than 30 characters.

Day shift319 D - shared

Notes

Optional

The notes to add to the shift.

Please do inventory as part of your shift.

Shift Start Time

Required

The shift start date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.

2023-03-19 15:00

Shift End Time

Required

The shift end date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.

2023-03-20 00:00

Shift Activities

Optional

Daily activities or any additional breaks to be tracked with this shift. Note: in each activity object, displayName and startDateTime/endDateTime are required fields. The remaining fields are optional. StartDateTime and endDateTime are in UTC time and must be within the bounds of the shift.

[

{

"isPaid": true,

"startDateTime": "2023-03-19T18:00:00Z",

"endDateTime": "2023-03-19T18:45:00Z",

"code": "LT",

"displayName": "Lunch Time",

"theme": "white"

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.etag": "\"*****\"",
    "id": "SHFT_*****",
    "createdDateTime": "2023-03-16T17:34:33.962Z",
    "lastModifiedDateTime": "2023-03-16T17:34:33.962Z",
    "schedulingGroupId": "TAG_*****",
    "userId": "*****",
    "draftShift": null,
    "lastModifiedBy": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    },
    "sharedShift": {
        "displayName": "Day shift319 D - shared",
        "startDateTime": "2023-03-19T15:00:00Z",
        "endDateTime": "2023-03-20T00:00:00Z",
        "theme": "white",
        "notes": "Please do inventory as part of your shift.",
        "activities": [
            {
                "isPaid": true,
                "startDateTime": "2023-03-19T18:00:00Z",
                "endDateTime": "2023-03-19T18:45:00Z",
                "code": "LT",
                "displayName": "Lunch Time",
                "theme": "white"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ShiftID": "\"SHFT_*****\"",
    "UserID": "\"*****\"",
    "SchedulingGroupID": "\"TAG_*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.etag

"*****"

id

SHFT_*****

createdDateTime

2023-03-16T17:34:33.962Z

lastModifiedDateTime

2023-03-16T17:34:33.962Z

schedulingGroupId

TAG_*****

userId

*****

draftShift

None

lastModifiedBy

{'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}

sharedShift

{'displayName': 'Day shift319 D - shared', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Shift failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the team was not found, or you may not have access to it.

Error Sample Data

Create Shift failed.

Status Code: 404.

Message: Sorry, the team was not found, or you may not have access to it.

Create Team

Creates a new team in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

Input

Input Parameter

Required/Optional

Description

Example

Team Name

Required

The name of the new team.

Create Team Test

Description

Optional

The description for the new team.

Testing the the createteam command

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "teamID": "*****",
    "status": "Successful"
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "teamID": "*****",
    "status": "Successful"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TeamID": "\"*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

teamID

*****

status

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Team failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

Create Team failed.

Status Code: 400.

Message: unauthorized_client.

Delete Channels

Deletes the specified channels in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID and Channel ID or Channel Name are required parameters to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration.

  • When creating a team, a General channel will be created by default. General channels cannot be deleted.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

***************************************

Channel ID or Channel Name

Required

The ID or name of the channel to delete. Channel IDs and Channel Names can be obtained using the List Channels command.

[“*****@*****.*****.com”]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "teamID": "*****",
    "deletedChannelIDs": [
        "My  Private Channel 15"
    ],
    "status": "Successful"
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "teamID": "*****",
    "deletedChannelIDs": [
        "My  Private Channel 15"
    ],
    "status": "Successful"
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

teamID

*****

deletedChannelIDs

  • My Private Channel 15

status

Successful

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Channels failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: testchanneldoc is not existed.

Error Sample Data

Delete Channels failed.

Status Code: 404.

Message: testchanneldoc is not existed.

Delete Shifts

Deletes the specified shift(s) from the schedule.

READER NOTE

Team ID and Shift IDs are required parameters to run this command. 

  • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id

  • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab

b. Clicking the hamburger menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

  • Run the List Shifts command to obtain Shift IDs. Shift IDs can be found from the returned raw data at the path $[*].value.id. Shift IDs must match the input team. It is suggested to run the List Teams command to obtain the desired Team ID, then use that ID to run the List Shifts command. Use those values to run this command.

  • When using the Client Credentials authentication type, the Act As Admin Account parameter is required to run this command. If the Act As Admin Account parameter is not defined or the specified account does not have admin permissions, permissions will be insufficient to run this command.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to delete the scheduled shift(s) for. Team IDs can be obtained using the List Teams command.

*****

Shift IDs

Required

The ID(s) of the shift(s) to delete. Shift IDs can be obtained using the List Shifts command.

[

"SHFT_*****"

]

Act As Admin Account

Optional

The email address of the admin account to use to delete the shifts. Note: when using the Client Credentials authentication type, if this parameter is not defined or the specified account does not have admin permissions, permissions will be insufficient to run this command.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": "SHFT_*****",
        "message": "Shift was successfully deleted."
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

MESSAGE

SHFT_*****

Shift was successfully deleted.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Shifts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code:404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the shift was not found and may have been deleted.

Error Sample Data

Delete Shifts failed.

Status Code: 404.

Message: Sorry, the shift was not found and may have been deleted.

Delete Teams

Deletes specified team(s) in Microsoft Teams.

READER NOTE

  • Input parameter Team IDs is required to run this command.

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • When deleted, Microsoft 365 groups are moved to a temporary container and can be restored within 30 days. After that time, they're permanently deleted. This isn't applicable to Security groups and Distribution groups which are permanently deleted immediately. To learn more, see deletedItems.

  • The following conditions apply for apps to delete role-assignable groups:

    • For delegated scenarios (using a connection authenticated with the authorization_code grant type), the app must be assigned the RoleManagement.ReadWrite.Directory delegated permission, and the calling user must be the creator of the group or a global administrator or a privileged role administrator in Microsoft Entra ID Protection.

    • For app-only scenarios (using a connection authenticated with the client_credentials grant type), the calling app must be the owner of the group or be assigned the RoleManagement.ReadWrite.Directory application permission or be assigned the Global Administrator or Privileged Role Administrator in Microsoft Entra ID Protection.

Input

Input Parameter

Required/Optional

Description

Example

Team IDs

Required

The ID(s) of the team(s) to delete. Team IDs can be obtained using the List Teams command.

[“***************************************”]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "deletedTeamID": "*****",
        "status": "Successful"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "deletedTeamID": "*****",
        "status": "Successful"
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

DELETEDTEAMID

STATUS

*****

Successful

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Teams failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team IDs Not Found.

Error Sample Data

Delete Teams failed.

Status Code: 404.

Message: Team IDs Not Found.

List Channel Members

Retrieves a list of all members of the specified channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID and Channel ID or Channel Name are required parameters to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

*****

Channel ID or Channel Name

Required

The ID or name of the channel to list all members from. Channel IDs and Channel names can be obtained using the List Channels command.

["*****@*****.***"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.count": 98,
        "@odata.nextLink": "https://graph.microsoft.com/*****",
        "value": [
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [],
                "displayName": "defender",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [
                    "owner"
                ],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": "*****@*****.*****.com",
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [
                    "owner"
                ],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.count": 98,
        "@odata.nextLink": "https://graph.microsoft.com/*****",
        "value": [
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [],
                "displayName": "defender",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [
                    "owner"
                ],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": "*****@*****.*****.com",
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            },
            {
                "@odata.type": "#microsoft.graph.aadUserConversationMember",
                "id": "*****",
                "roles": [
                    "owner"
                ],
                "displayName": "*****",
                "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
                "userId": "*****",
                "email": null,
                "tenantId": "*****"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\",\\\"*****\\\",\\\"*****\\\",\\\"*****\\\"]\"",
    "Emails": "\"[\\\"*****@*****.*****.com\\\",\\\"*****@*****.com\\\",\\\"*****@*****.com\\\",\\\"*****@*****.com\\\"]\"",
    "Count": "\"98\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

@ODATA.COUNT

@ODATA.NEXTLINK

VALUE

https://graph.microsoft.com/*****

98

https://graph.microsoft.com/*****

[
{
"@odata.type": "#microsoft.graph.aadUserConversationMember",
"id": "*****",
"roles": [],
"displayName": "defender",
"visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
"userId": "*****",
"email": null,
"tenantId": "*****"
},
{
"@odata.type": "#microsoft.graph.aadUserConversationMember",
"id": "*****",
"roles": [
"owner"
],
"displayName": "*****",
"visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
"userId": "*****",
"email": "*****@*****.*****.com",
"tenantId": "*****"
},
{
"@odata.type": "#microsoft.graph.aadUserConversationMember",
"id": "*****",
"roles": [],
"displayName": "*****",
"visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
"userId": "*****",
"email": null,
"tenantId": "*****"
},
{
"@odata.type": "#microsoft.graph.aadUserConversationMember",
"id": "*****",
"roles": [
"owner"
],
"displayName": "*****",
"visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
"userId": "*****",
"email": null,
"tenantId": "*****"
},
{
"@odata.type": "#microsoft.graph.aadUserConversationMember",
"id": "*****",
"roles": [],
"displayName": "*****",
"visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
"userId": "*****",
"email": null,
"tenantId": "*****"
}
]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Channel Members failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: xxx is not channel Id or channel name existed.

Error Sample Data

List Channel Members failed.

Status Code: 404.

Message: xxx is not channel Id or channel name existed.

Get Message Reply

Retrieves a specified message reply from a channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID, Channel ID or Channel Name and Message ID are required parameters to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

    • Run the Send Message command to obtain Message IDs.

  • Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

***************************************

Channel ID or Channel Name

Required

The ID or name of the channel to retrieve the message reply from. Channel IDs and Channel Names can be obtained using the List Channels command.

*****

Message ID

Required

The ID of the message to retrieve its reply messages. Message IDs can be obtained using the Send Message command.

["*****"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "*****",
        "@odata.count": 1,
        "value": [
            {
                "id": "*****",
                "replyToId": "*****",
                "etag": "*****",
                "messageType": "message",
                "createdDateTime": "2021-09-27T21:22:00.992Z",
                "lastModifiedDateTime": "2021-09-27T21:22:00.992Z",
                "lastEditedDateTime": null,
                "deletedDateTime": null,
                "subject": null,
                "summary": null,
                "chatId": null,
                "importance": "normal",
                "locale": "en-us",
                "webUrl": "https://teams.microsoft.com/*****",
                "policyViolation": null,
                "eventDetail": null,
                "from": {
                    "application": null,
                    "device": null,
                    "user": {
                        "id": "*****",
                        "displayName": "*****",
                        "userIdentityType": "aadUser"
                    }
                },
                "body": {
                    "contentType": "text",
                    "content": "hi, replying the message"
                },
                "channelIdentity": {
                    "teamId": "*****",
                    "channelId": "*****"
                },
                "attachments": [],
                "mentions": [],
                "reactions": []
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "*****",
        "@odata.count": 1,
        "value": [
            {
                "id": "*****",
                "replyToId": "*****",
                "etag": "*****",
                "messageType": "message",
                "createdDateTime": "2021-09-27T21:22:00.992Z",
                "lastModifiedDateTime": "2021-09-27T21:22:00.992Z",
                "lastEditedDateTime": null,
                "deletedDateTime": null,
                "subject": null,
                "summary": null,
                "chatId": null,
                "importance": "normal",
                "locale": "en-us",
                "webUrl": "https://teams.microsoft.com/*****",
                "policyViolation": null,
                "eventDetail": null,
                "from": {
                    "application": null,
                    "device": null,
                    "user": {
                        "id": "*****",
                        "displayName": "*****",
                        "userIdentityType": "aadUser"
                    }
                },
                "body": {
                    "contentType": "text",
                    "content": "hi, replying the message"
                },
                "channelIdentity": {
                    "teamId": "*****",
                    "channelId": "*****"
                },
                "attachments": [],
                "mentions": [],
                "reactions": []
            }
        ]
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

@ODATA.COUNT

VALUE

*****

1

[
{
"id": "*****",
"replyToId": "*****",
"etag": "*****",
"messageType": "message",
"createdDateTime": "2021-09-27T21:22:00.992Z",
"lastModifiedDateTime": "2021-09-27T21:22:00.992Z",
"lastEditedDateTime": null,
"deletedDateTime": null,
"subject": null,
"summary": null,
"chatId": null,
"importance": "normal",
"locale": "en-us",
"webUrl": "https://teams.microsoft.com/*****",
"policyViolation": null,
"eventDetail": null,
"from": {
"application": null,
"device": null,
"user": {
"id": "*****",
"displayName": "*****",
"userIdentityType": "aadUser"
}
},
"body": {
"contentType": "text",
"content": "hi, replying the message"
},
"channelIdentity": {
"teamId": "*****",
"channelId": "*****"
},
"attachments": [],
"mentions": [],
"reactions": []
}
]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Message Reply failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team ID Not Found.

Error Sample Data

Get Message Reply failed.

Status Code: 404.

Message: Team ID Not Found.

Get Shifts

Retrieves the properties and relationships of the specified shift objects by IDs.

READER NOTE

  • Team ID and Shift IDs are required parameters to run this command. 

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

    • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab

b. Clicking the hamburger menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

    • Run the List Shifts command to obtain Shift IDs. Shift IDs can be found from the returned raw data at the path $.value[*].id. Shift IDs must match the input team. It is suggested to run the List Teams command to obtain the desired Team ID, then use that ID to run the List Shifts command. Use those values to run this command.

  • When using the Client Credentials authentication type, if the Act As Admin Account parameter is not defined or the specified account does not have admin permissions, only the shared version of the shift can be returned. The draft version cannot be retrieved. If the shift only has a draft version, permissions will be insufficient to run this command, the error "Sorry, you need to be an admin to do this." will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to retrieve scheduled shifts for. Team IDs can be obtained using the List Teams command.

*****

Shift IDs

Required

The ID(s) of the shift(s) to retrieve. Shift IDs can be obtained using the List Shifts command.

[

"SHFT_*****"

]

Act As Admin Account

Optional

The email address of the admin account to use to retrieve the draft version of the shared shift. Note: when using the Client Credentials authentication type, if this parameter is not defined or the specified account does not have admin permissions, only the shared version of the shift can be returned. The draft version cannot be retrieved. If the shift only has a draft version, permissions will be insufficient to retrieve the shift.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/v*.*/***",
        "@odata.etag": "\"*****\"",
        "id": "SHFT_*****",
        "createdDateTime": "2023-03-16T17:34:33.962Z",
        "lastModifiedDateTime": "2023-03-16T18:16:30.005Z",
        "schedulingGroupId": "TAG_*****",
        "userId": "*****",
        "lastModifiedBy": {
            "application": null,
            "device": null,
            "user": {
                "id": "*****",
                "displayName": "*****",
                "userIdentityType": "aadUser"
            }
        },
        "sharedShift": {
            "displayName": "Day shift319 D - shared",
            "startDateTime": "2023-03-19T15:00:00Z",
            "endDateTime": "2023-03-20T00:00:00Z",
            "theme": "white",
            "notes": "Please do inventory as part of your shift.",
            "activities": [
                {
                    "isPaid": true,
                    "startDateTime": "2023-03-19T18:00:00Z",
                    "endDateTime": "2023-03-19T18:45:00Z",
                    "code": "LT",
                    "displayName": "Lunch Time",
                    "theme": "white"
                }
            ]
        },
        "draftShift": {
            "displayName": "Day shift319 D - shared&draft",
            "startDateTime": "2023-03-19T15:00:00Z",
            "endDateTime": "2023-03-20T00:00:00Z",
            "theme": "white",
            "notes": "Please do inventory as part of your shift.",
            "activities": [
                {
                    "isPaid": true,
                    "startDateTime": "2023-03-19T18:00:00Z",
                    "endDateTime": "2023-03-19T18:45:00Z",
                    "code": "LT",
                    "displayName": "Lunch Time",
                    "theme": "white"
                }
            ]
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ShiftIDs": "\"[ \\\"SHFT_*****\\\" ]\"",
    "UserIDs": "\"[ \\\"*****\\\" ]\"",
    "SchedulingGroupIDs": "\"[ \\\"TAG_*****\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

https://graph.microsoft.com/v*.*/***

@ODATA.ETAG

"*****"

ID

SHFT_*****

CREATEDDATETIME

2023-03-16T17:34:33.962Z

LASTMODIFIEDDATETIME

2023-03-16T18:16:30.005Z

SCHEDULINGGROUPID

TAG_*****

USERID

*****

LASTMODIFIEDBY

{'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}

SHAREDSHIFT

{'displayName': 'Day shift319 D - shared', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}

DRAFTSHIFT

{'displayName': 'Day shift319 D - shared&draft', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'white', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'white'}]}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Shifts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, you need to be an admin to do this.

Error Sample Data

Get Shifts failed.

Status Code: 403.

Message: Sorry, you need to be an admin to do this.

Get Team Details By Name

Returns details about the specified team(s) in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • The parameter Team Names is required to run this command.

    • Run the List Teams command to obtain Team Names. Team Names can be found in the returned raw data at the path $.value.[*].displayName.

    • The Team Name parameter only supports full names. Partial names or key word searches are not supported.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team Names

Required

The name(s) of the team(s) to retrieve corresponding details. Team Names can be obtained using the List Teams command.

[

“Create Team Test”

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "id": "*****",
        "createdDateTime": "2020-12-11T21:55:34.03Z",
        "displayName": "*****",
        "description": "D3DevCyber",
        "internalId": "*****@*****.***",
        "classification": null,
        "specialization": "none",
        "visibility": "public",
        "webUrl": "https://teams.microsoft.com/l/team/***",
        "isArchived": false,
        "isMembershipLimitedToOwners": false,
        "memberSettings": {
            "allowCreateUpdateChannels": true,
            "allowCreatePrivateChannels": true,
            "allowDeleteChannels": true,
            "allowAddRemoveApps": true,
            "allowCreateUpdateRemoveTabs": true,
            "allowCreateUpdateRemoveConnectors": true
        },
        "guestSettings": {
            "allowCreateUpdateChannels": false,
            "allowDeleteChannels": false
        },
        "messagingSettings": {
            "allowUserEditMessages": true,
            "allowUserDeleteMessages": true,
            "allowOwnerDeleteMessages": true,
            "allowTeamMentions": true,
            "allowChannelMentions": true
        },
        "funSettings": {
            "allowGiphy": true,
            "giphyContentRating": "moderate",
            "allowStickersAndMemes": true,
            "allowCustomMemes": true
        },
        "discoverySettings": {
            "showInTeamsSearchAndSuggestions": true
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "id": "*****",
        "createdDateTime": "2020-12-11T21:55:34.03Z",
        "displayName": "*****",
        "description": "D3DevCyber",
        "internalId": "*****@*****.***",
        "classification": null,
        "specialization": "none",
        "visibility": "public",
        "webUrl": "https://teams.microsoft.com/l/team/***",
        "isArchived": false,
        "isMembershipLimitedToOwners": false,
        "memberSettings": {
            "allowCreateUpdateChannels": true,
            "allowCreatePrivateChannels": true,
            "allowDeleteChannels": true,
            "allowAddRemoveApps": true,
            "allowCreateUpdateRemoveTabs": true,
            "allowCreateUpdateRemoveConnectors": true
        },
        "guestSettings": {
            "allowCreateUpdateChannels": false,
            "allowDeleteChannels": false
        },
        "messagingSettings": {
            "allowUserEditMessages": true,
            "allowUserDeleteMessages": true,
            "allowOwnerDeleteMessages": true,
            "allowTeamMentions": true,
            "allowChannelMentions": true
        },
        "funSettings": {
            "allowGiphy": true,
            "giphyContentRating": "moderate",
            "allowStickersAndMemes": true,
            "allowCustomMemes": true
        },
        "discoverySettings": {
            "showInTeamsSearchAndSuggestions": true
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TeamIDs": "\"[\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

ID

CREATEDDATETIME

DISPLAYNAME

DESCRIPTION

INTERNALID

CLASSIFICATION

SPECIALIZATION

VISIBILITY

WEBURL

ISARCHIVED

ISMEMBERSHIPLIMITEDTOOWNERS

MEMBERSETTINGS

GUESTSETTINGS

MESSAGINGSETTINGS

FUNSETTINGS

DISCOVERYSETTINGS

https://graph.microsoft.com/*****

*****

12/11/2020 9:55:34 PM

D3DevCyber

D3DevCyber

*****@*****.***

none

public

https://teams.microsoft.com/l/team/***

False

False

{
"allowCreateUpdateChannels": true,
"allowCreatePrivateChannels": true,
"allowDeleteChannels": true,
"allowAddRemoveApps": true,
"allowCreateUpdateRemoveTabs": true,
"allowCreateUpdateRemoveConnectors": true
}

{
"allowCreateUpdateChannels": false,
"allowDeleteChannels": false
}

{
"allowUserEditMessages": true,
"allowUserDeleteMessages": true,
"allowOwnerDeleteMessages": true,
"allowTeamMentions": true,
"allowChannelMentions": true
}

{
"allowGiphy": true,
"giphyContentRating": "moderate",
"allowStickersAndMemes": true,
"allowCustomMemes": true
}

{
"showInTeamsSearchAndSuggestions": true
}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Team Details By Name failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team Names Not Found.

Error Sample Data

Get Team Details By Name failed.

Status Code: 404.

Message: Team Names Not Found.

Get User Details

Returns the properties and relationships of the specified user(s) in Microsoft Teams.

READER NOTE

  • The parameter Email or User IDs is required to run this command.

    • Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Email or User IDs

Required

The email(s) or ID(s) of the user(s) to retrieve corresponding details. Email and User IDs can be obtained using the List Users command.

[

"*****",

“*****@*****.*****.com”

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.id": "https://graph.microsoft.com/v*/*****",
        "id": "*****",
        "deletedDateTime": null,
        "accountEnabled": true,
        "ageGroup": null,
        "businessPhones": [],
        "city": null,
        "createdDateTime": "2021-06-02T06:46:12Z",
        "creationType": null,
        "companyName": null,
        "consentProvidedForMinor": null,
        "country": null,
        "department": null,
        "displayName": "2",
        "employeeId": null,
        "employeeHireDate": null,
        "employeeType": null,
        "faxNumber": null,
        "givenName": "2",
        "imAddresses": [],
        "infoCatalogs": [],
        "isManagementRestricted": null,
        "isResourceAccount": null,
        "jobTitle": null,
        "legalAgeGroupClassification": null,
        "mail": null,
        "mailNickname": "2",
        "mobilePhone": null,
        "onPremisesDistinguishedName": "CN=2,CN=Users,DC=d3cyberlab,DC=local",
        "officeLocation": null,
        "onPremisesDomainName": "***.***",
        "onPremisesImmutableId": "*****",
        "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
        "onPremisesSecurityIdentifier": "*****",
        "onPremisesSamAccountName": "2",
        "onPremisesSyncEnabled": true,
        "onPremisesUserPrincipalName": "2@***.***",
        "otherMails": [],
        "passwordPolicies": "DisablePasswordExpiration",
        "postalCode": null,
        "preferredDataLocation": null,
        "preferredLanguage": null,
        "proxyAddresses": [],
        "refreshTokensValidFromDateTime": "2021-01-12T02:26:21Z",
        "showInAddressList": null,
        "signInSessionsValidFromDateTime": "2021-01-12T02:26:21Z",
        "state": null,
        "streetAddress": null,
        "surname": null,
        "usageLocation": null,
        "userPrincipalName": "*****@*****.*****.com",
        "externalUserState": null,
        "externalUserStateChangeDateTime": null,
        "userType": "Member",
        "employeeOrgData": null,
        "passwordProfile": null,
        "assignedLicenses": [],
        "assignedPlans": [],
        "deviceKeys": [],
        "identities": [
            {
                "signInType": "userPrincipalName",
                "issuer": "*****@*****.*****.com",
                "issuerAssignedId": "*****@*****.*****.com"
            }
        ],
        "onPremisesExtensionAttributes": {
            "extensionAttribute1": null,
            "extensionAttribute2": null,
            "extensionAttribute3": null,
            "extensionAttribute4": null,
            "extensionAttribute5": null,
            "extensionAttribute6": null,
            "extensionAttribute7": null,
            "extensionAttribute8": null,
            "extensionAttribute9": null,
            "extensionAttribute10": null,
            "extensionAttribute11": null,
            "extensionAttribute12": null,
            "extensionAttribute13": null,
            "extensionAttribute14": null,
            "extensionAttribute15": null
        },
        "onPremisesProvisioningErrors": [],
        "provisionedPlans": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.id": "https://graph.microsoft.com/v*/*****",
        "id": "*****",
        "deletedDateTime": null,
        "accountEnabled": true,
        "ageGroup": null,
        "businessPhones": [],
        "city": null,
        "createdDateTime": "2021-06-02T06:46:12Z",
        "creationType": null,
        "companyName": null,
        "consentProvidedForMinor": null,
        "country": null,
        "department": null,
        "displayName": "2",
        "employeeId": null,
        "employeeHireDate": null,
        "employeeType": null,
        "faxNumber": null,
        "givenName": "2",
        "imAddresses": [],
        "infoCatalogs": [],
        "isManagementRestricted": null,
        "isResourceAccount": null,
        "jobTitle": null,
        "legalAgeGroupClassification": null,
        "mail": null,
        "mailNickname": "2",
        "mobilePhone": null,
        "onPremisesDistinguishedName": "CN=2,CN=Users,DC=d3cyberlab,DC=local",
        "officeLocation": null,
        "onPremisesDomainName": "***.***",
        "onPremisesImmutableId": "*****",
        "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
        "onPremisesSecurityIdentifier": "*****",
        "onPremisesSamAccountName": "2",
        "onPremisesSyncEnabled": true,
        "onPremisesUserPrincipalName": "2@***.***",
        "otherMails": [],
        "passwordPolicies": "DisablePasswordExpiration",
        "postalCode": null,
        "preferredDataLocation": null,
        "preferredLanguage": null,
        "proxyAddresses": [],
        "refreshTokensValidFromDateTime": "2021-01-12T02:26:21Z",
        "showInAddressList": null,
        "signInSessionsValidFromDateTime": "2021-01-12T02:26:21Z",
        "state": null,
        "streetAddress": null,
        "surname": null,
        "usageLocation": null,
        "userPrincipalName": "*****@*****.*****.com",
        "externalUserState": null,
        "externalUserStateChangeDateTime": null,
        "userType": "Member",
        "employeeOrgData": null,
        "passwordProfile": null,
        "assignedLicenses": [],
        "assignedPlans": [],
        "deviceKeys": [],
        "identities": [
            {
                "signInType": "userPrincipalName",
                "issuer": "*****@*****.*****.com",
                "issuerAssignedId": "*****@*****.*****.com"
            }
        ],
        "onPremisesExtensionAttributes": {
            "extensionAttribute1": null,
            "extensionAttribute2": null,
            "extensionAttribute3": null,
            "extensionAttribute4": null,
            "extensionAttribute5": null,
            "extensionAttribute6": null,
            "extensionAttribute7": null,
            "extensionAttribute8": null,
            "extensionAttribute9": null,
            "extensionAttribute10": null,
            "extensionAttribute11": null,
            "extensionAttribute12": null,
            "extensionAttribute13": null,
            "extensionAttribute14": null,
            "extensionAttribute15": null
        },
        "onPremisesProvisioningErrors": [],
        "provisionedPlans": []
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

@ODATA.ID

ID

DELETEDDATETIME

ACCOUNTENABLED

AGEGROUP

BUSINESSPHONES

CITY

CREATEDDATETIME

CREATIONTYPE

COMPANYNAME

CONSENTPROVIDEDFORMINOR

COUNTRY

DEPARTMENT

DISPLAYNAME

EMPLOYEEID

EMPLOYEEHIREDATE

EMPLOYEETYPE

FAXNUMBER

GIVENNAME

IMADDRESSES

INFOCATALOGS

ISMANAGEMENTRESTRICTED

ISRESOURCEACCOUNT

JOBTITLE

LEGALAGEGROUPCLASSIFICATION

MAIL

MAILNICKNAME

MOBILEPHONE

ONPREMISESDISTINGUISHEDNAME

OFFICELOCATION

ONPREMISESDOMAINNAME

ONPREMISESIMMUTABLEID

ONPREMISESLASTSYNCDATETIME

ONPREMISESSECURITYIDENTIFIER

ONPREMISESSAMACCOUNTNAME

ONPREMISESSYNCENABLED

ONPREMISESUSERPRINCIPALNAME

OTHERMAILS

PASSWORDPOLICIES

POSTALCODE

PREFERREDDATALOCATION

PREFERREDLANGUAGE

PROXYADDRESSES

REFRESHTOKENSVALIDFROMDATETIME

SHOWINADDRESSLIST

SIGNINSESSIONSVALIDFROMDATETIME

STATE

STREETADDRESS

SURNAME

USAGELOCATION

USERPRINCIPALNAME

EXTERNALUSERSTATE

EXTERNALUSERSTATECHANGEDATETIME

USERTYPE

EMPLOYEEORGDATA

PASSWORDPROFILE

ASSIGNEDLICENSES

ASSIGNEDPLANS

DEVICEKEYS

IDENTITIES

ONPREMISESEXTENSIONATTRIBUTES

ONPREMISESPROVISIONINGERRORS

PROVISIONEDPLANS

https://graph.microsoft.com/*****

https://graph.microsoft.com/v*/*****

*****

True

[]

6/2/2021 6:46:12 AM

2

2

[]

[]

2

CN=2,CN=Users,DC=d3cyberlab,DC=local

***.***

*****

6/16/2021 8:27:47 PM

*****

2

True

2@***.***

[]

DisablePasswordExpiration

[]

1/12/2021 2:26:21 AM

1/12/2021 2:26:21 AM

*****@*****.*****.com

Member

[]

[]

[]

[
{
"signInType": "userPrincipalName",
"issuer": "*****@*****.*****.com",
"issuerAssignedId": "*****@*****.*****.com"
}
]

{
"extensionAttribute1": null,
"extensionAttribute2": null,
"extensionAttribute3": null,
"extensionAttribute4": null,
"extensionAttribute5": null,
"extensionAttribute6": null,
"extensionAttribute7": null,
"extensionAttribute8": null,
"extensionAttribute9": null,
"extensionAttribute10": null,
"extensionAttribute11": null,
"extensionAttribute12": null,
"extensionAttribute13": null,
"extensionAttribute14": null,
"extensionAttribute15": null
}

[]

[]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get User Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Email or User IDs Not Found.

Error Sample Data

Get User Details failed.

Status Code: 403.

Message: Email or User IDs Not Found.

List Channels

Retrieves a list of all existing channels in the specified team. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID or Team Name is a required parameter to run this command.

    • Run the List Teams command to obtain Team IDs and Team Names. Team IDs can be found in the returned raw data at the path $.value.[*].id; Team Names can be found in the returned raw data at the path $.value.[*].displayName.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team ID or Team Name

Required

The ID of the team that the channel belongs to. Team IDs and Team Names can be obtained using the List Teams command.

***************************************

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/***",
    "@odata.count": 10,
    "value": [
        {
            "id": "*****@*****.***",
            "createdDateTime": "2020-12-11T21:55:34.03Z",
            "displayName": "*****",
            "description": "D3DevCyber",
            "isFavoriteByDefault": null,
            "email": "",
            "webUrl": "https://teams.microsoft.com/l/*****",
            "membershipType": "standard",
            "moderationSettings": null
        },
        {
            "id": "*****",
            "createdDateTime": "2021-04-07T17:26:19.833Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": false,
            "email": "",
            "webUrl": "https://teams.microsoft.com/***",
            "membershipType": "standard",
            "moderationSettings": {
                "userNewMessageRestriction": "everyone",
                "replyRestriction": "everyone",
                "allowNewMessageFromBots": true,
                "allowNewMessageFromConnectors": true
            }
        },
        {
            "id": "*****",
            "createdDateTime": "2021-09-20T23:29:08.731Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": false,
            "email": "",
            "webUrl": "https://teams.microsoft.com/*****
            "membershipType": "standard",
            "moderationSettings": {
                "userNewMessageRestriction": "everyone",
                "replyRestriction": "everyone",
                "allowNewMessageFromBots": true,
                "allowNewMessageFromConnectors": true
            }
        },
        {
            "id": "*****",
            "createdDateTime": "2021-04-07T17:08:53.571Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": null,
            "email": "",
            "webUrl": "https://teams.microsoft.com/*****",
            "membershipType": "private",
            "moderationSettings": null
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/***",
    "@odata.count": 10,
    "value": [
        {
            "id": "*****@*****.***",
            "createdDateTime": "2020-12-11T21:55:34.03Z",
            "displayName": "*****",
            "description": "D3DevCyber",
            "isFavoriteByDefault": null,
            "email": "",
            "webUrl": "https://teams.microsoft.com/l/*****",
            "membershipType": "standard",
            "moderationSettings": null
        },
        {
            "id": "*****",
            "createdDateTime": "2021-04-07T17:26:19.833Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": false,
            "email": "",
            "webUrl": "https://teams.microsoft.com/***",
            "membershipType": "standard",
            "moderationSettings": {
                "userNewMessageRestriction": "everyone",
                "replyRestriction": "everyone",
                "allowNewMessageFromBots": true,
                "allowNewMessageFromConnectors": true
            }
        },
        {
            "id": "*****",
            "createdDateTime": "2021-09-20T23:29:08.731Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": false,
            "email": "",
            "webUrl": "https://teams.microsoft.com/*****
            "membershipType": "standard",
            "moderationSettings": {
                "userNewMessageRestriction": "everyone",
                "replyRestriction": "everyone",
                "allowNewMessageFromBots": true,
                "allowNewMessageFromConnectors": true
            }
        },
        {
            "id": "*****",
            "createdDateTime": "2021-04-07T17:08:53.571Z",
            "displayName": "*****",
            "description": null,
            "isFavoriteByDefault": null,
            "email": "",
            "webUrl": "https://teams.microsoft.com/*****",
            "membershipType": "private",
            "moderationSettings": null
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ChannelIDs": "\"[\\\"*****@*****.***\\\",\\\"*****\\\",\\\"*****\\\",\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/***

@odata.count

10

value

  • {

    "id": "*****@*****.***",

    "createdDateTime": "2020-12-11T21:55:34.03Z",

    "displayName": "*****",

    "description": "D3DevCyber",

    "isFavoriteByDefault": null,

    "email": "",

    "webUrl": "https://teams.microsoft.com/l/*****",

    "membershipType": "standard",

    "moderationSettings": null

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-04-07T17:26:19.833Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": false,

    "email": "",

    "webUrl": "https://teams.microsoft.com/***",

    "membershipType": "standard",

    "moderationSettings": {

    "userNewMessageRestriction": "everyone",

    "replyRestriction": "everyone",

    "allowNewMessageFromBots": true,

    "allowNewMessageFromConnectors": true

    }

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-09-20T23:29:08.731Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": false,

    "email": "",

    "webUrl": "https://teams.microsoft.com/*****

    "membershipType": "standard",

    "moderationSettings": {

    "userNewMessageRestriction": "everyone",

    "replyRestriction": "everyone",

    "allowNewMessageFromBots": true,

    "allowNewMessageFromConnectors": true

    }

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-04-07T17:08:53.571Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": null,

    "email": "",

    "webUrl": "https://teams.microsoft.com/*****",

    "membershipType": "private",

    "moderationSettings": null

    }

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Channels failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team ID or Team Name is not exists.

Error Sample Data

List Channels failed.

Status Code: 404.

Message: Team ID or Team Name is not exists.

List Chat Messages

Retrieves the list of messages in a specified chat. Note: If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.

READER NOTE

  • Chat ID is a required parameter to run this command.

    • Run the List Chats command to obtain the Chat ID. Chat IDs can be found in the raw data at the path $.value[*].id.

  • If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of.

  • The User Principal Name parameter is required if the connection was authenticated using the client_credentials grant type. Otherwise, this parameter will not be used for the search. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.

Input

Input Parameter

Required/Optional

Description

Example

User Principal Name

Optional

The principal name of the user to retrieve chat messages. If using authorization_code authentication, this parameter does not apply.

*****@*****.com

Chat ID

Required

The ID of the chat to retrieve messages. Chat ID can be obtained using the List Chats command.

*****@*****.*****.***

Updated After

Optional

The messages created or updated after this time (in UTC time) will be returned. If this parameter is not defined, messages created or updated 24 hours before the 'Updated Before' time will be returned.

2023-05-29 00:00

Updated Before

Optional

The messages created or updated before this time (in UTC time) will be returned. If this parameter is not defined, the default value is the current time.

2023-05-30 00:00

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 1,
    "@odata.nextLink": "https://graph.microsoft.com/v*.*/***",
    "value": [
        {
            "id": "*****",
            "replyToId": null,
            "etag": "*****",
            "messageType": "message",
            "createdDateTime": "2023-05-29T19:44:01.352Z",
            "lastModifiedDateTime": "2023-05-29T19:44:01.352Z",
            "lastEditedDateTime": null,
            "deletedDateTime": null,
            "subject": null,
            "summary": null,
            "chatId": "*****@*****.*****.***",
            "importance": "normal",
            "locale": "en-us",
            "webUrl": null,
            "channelIdentity": null,
            "policyViolation": null,
            "eventDetail": null,
            "from": {
                "application": null,
                "device": null,
                "user": {
                    "@odata.type": "#microsoft.graph.teamworkUserIdentity",
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser",
                    "tenantId": "*****"
                }
            },
            "body": {
                "contentType": "html",
                "content": "Hello World in BOLD 2023-05-29T19:43:05.336Z."
            },
            "attachments": [],
            "mentions": [],
            "reactions": []
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ChatIDs": "\"[\\\"*****@*****.*****.***\\\"]\"",
    "MessageIDs": "\"[\\\"*****\\\"]\"",
    "From": "\"[\\\"*****\\\"]\"",
    "Messages": "\"[\\\"Hello World in BOLD 2023-05-29T19:43:05.336Z.\\\"]\"",
    "UpdatedTime": "\"[\\\"2023-05-29T19:44:01.352Z\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.count

1

@odata.nextLink

https://graph.microsoft.com/v*.*/***

value

  • {'id': '*****', 'replyToId': None, 'etag': '*****', 'messageType': 'message', 'createdDateTime': '2023-05-29T19:44:01.352Z', 'lastModifiedDateTime': '2023-05-29T19:44:01.352Z', 'lastEditedDateTime': None, 'deletedDateTime': None, 'subject': None, 'summary': None, 'chatId': '*****@*****.*****.***', 'importance': 'normal', 'locale': 'en-us', 'webUrl': None, 'channelIdentity': None, 'policyViolation': None, 'eventDetail': None, 'from': {'application': None, 'device': None, 'user': {'@odata.type': '#microsoft.graph.teamworkUserIdentity', 'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser', 'tenantId': '*****'}}, 'body': {'contentType': 'html', 'content': '

    Hello World in BOLD 2023-05-29T19:43:05.336Z.

    '}, 'attachments': [], 'mentions': [], 'reactions': []}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Chat Messages failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Resource not found.

Error Sample Data

List Chat Messages failed.

Status Code: 404.

Message: Resource not found.

List Chats

Retrieves the list of chats that the user is part of.Note: If the API connection was authenticated using authorization_code, you can only retrieve chats that the granted user is part of. If using client_credentials authentication, you can retrieve a specified user's chat by defining the User Principal Name parameter.

READER NOTE

  • If the API connection was authenticated using authorization_code, you can only retrieve chat messages from chats the granted user is part of.

  • The User Principal Name parameter is required if the connection was authenticated using the client_credentials grant type. Otherwise, this parameter will not be used for the search. If using client_credentials authentication, you can retrieve a specified user's chat message by defining the User Principal Name parameter.

Input

Input Parameter

Required/Optional

Description

Example

User Principal Name

Optional

The principal name of the user to retrieve chats. If authorization_code authentication is used, this parameter does not apply.

*****@*****.com

Chat Type

Optional

The type of the chat to be returned. If this parameter is not defined, chats of any type will be returned. The available chat types are one on one, group, meeting and unknown.

One On One

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 1,
    "value": [
        {
            "id": "*****@*****.*****.***",
            "topic": null,
            "createdDateTime": "2023-05-29T17:51:24.562Z",
            "lastUpdatedDateTime": "2023-05-29T17:51:24.562Z",
            "chatType": "oneOnOne",
            "webUrl": "https://teams.microsoft.com/*****",
            "tenantId": "*****",
            "viewpoint": null,
            "onlineMeetingInfo": null,
            "members@odata.context": "https://graph.microsoft.com/v*.*/***",
            "members": [
                {
                    "@odata.type": "#microsoft.graph.aadUserConversationMember",
                    "id": "*****
                    "roles": [
                        "owner"
                    ],
                    "displayName": "*****",
                    "visibleHistoryStartDateTime": "2023-05-29T17:51:24.467Z",
                    "userId": "*****",
                    "email": "*****@*****.*****.com",
                    "tenantId": "*****"
                },
                {
                    "@odata.type": "#microsoft.graph.aadUserConversationMember",
                    "id": "*****",
                    "roles": [
                        "owner"
                    ],
                    "displayName": "phish",
                    "visibleHistoryStartDateTime": "2023-05-29T17:51:24.467Z",
                    "userId": "*****",
                    "email": "*****@*****.com",
                    "tenantId": "*****"
                }
            ]
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ChatID": "\"[\\\"*****@*****.*****.***\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.count

1

value

  • {'id': '*****@*****.*****.***', 'topic': None, 'createdDateTime': '2023-05-29T17:51:24.562Z', 'lastUpdatedDateTime': '2023-05-29T17:51:24.562Z', 'chatType': 'oneOnOne', 'webUrl': 'https://teams.microsoft.com/*****', 'tenantId': '*****', 'viewpoint': None, 'onlineMeetingInfo': None, 'members@odata.context': "https://graph.microsoft.com/v*.*/***", 'members': [{'@odata.type': '#microsoft.graph.aadUserConversationMember', 'id': '*****', 'roles': ['owner'], 'displayName': '*****', 'visibleHistoryStartDateTime': '2023-05-29T17:51:24.467Z', 'userId': '*****', 'email': '*****@*****.*****.com', 'tenantId': '*****'}, {'@odata.type': '#microsoft.graph.aadUserConversationMember', 'id': '*****', 'roles': ['owner'], 'displayName': 'phish', 'visibleHistoryStartDateTime': '2023-05-29T17:51:24.467Z', 'userId': '*****', 'email': '*****@*****.com', 'tenantId': '*****'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Chats failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

List Chats failed.

Status Code: 400.

Message: unauthorized_client.

List Joined Teams

Retrieves a list of the specified user(s)’ joined teams in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Email or User IDs is a required parameter to run this command.

    • Run the List Users command to obtain Emails and User IDs. User IDs can be found from the returned raw data at the path $.value[*].id.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Email or User IDs

Required

The email(s) or ID(s) of the user(s) to retrieve the list of joined teams. Email or User IDs can be obtained using the List Users command.

[

"*****",

“*****@*****.*****.com”

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.count": 3,
        "value": [
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "D3DevCyber",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            },
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "*****@*****.com as owner",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            },
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "Testing the the createteam command_20190913_nomemversetting",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "@odata.context": "https://graph.microsoft.com/*****",
        "@odata.count": 3,
        "value": [
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "D3DevCyber",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            },
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "*****@*****.com as owner",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            },
            {
                "id": "*****",
                "createdDateTime": null,
                "displayName": "*****",
                "description": "Testing the the createteam command_20190913_nomemversetting",
                "internalId": null,
                "classification": null,
                "specialization": null,
                "visibility": null,
                "webUrl": null,
                "isArchived": false,
                "isMembershipLimitedToOwners": null,
                "memberSettings": null,
                "guestSettings": null,
                "messagingSettings": null,
                "funSettings": null,
                "discoverySettings": null
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\",\\\"*****\\\",\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@ODATA.CONTEXT

@ODATA.COUNT

VALUE

https://graph.microsoft.com/*****

3

[
{
"id": "*****",
"createdDateTime": null,
"displayName": "*****",
"description": "D3DevCyber",
"internalId": null,
"classification": null,
"specialization": null,
"visibility": null,
"webUrl": null,
"isArchived": false,
"isMembershipLimitedToOwners": null,
"memberSettings": null,
"guestSettings": null,
"messagingSettings": null,
"funSettings": null,
"discoverySettings": null
},
{
"id": "*****",
"createdDateTime": null,
"displayName": "*****",
"description": "*****@*****.com as owner",
"internalId": null,
"classification": null,
"specialization": null,
"visibility": null,
"webUrl": null,
"isArchived": false,
"isMembershipLimitedToOwners": null,
"memberSettings": null,
"guestSettings": null,
"messagingSettings": null,
"funSettings": null,
"discoverySettings": null
},
{
"id": "*****",
"createdDateTime": null,
"displayName": "*****",
"description": "Testing the the createteam command_20190913_nomemversetting",
"internalId": null,
"classification": null,
"specialization": null,
"visibility": null,
"webUrl": null,
"isArchived": false,
"isMembershipLimitedToOwners": null,
"memberSettings": null,
"guestSettings": null,
"messagingSettings": null,
"funSettings": null,
"discoverySettings": null
}
]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Joined Teams failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Email or User IDs Not Found.

Error Sample Data

List Joined Teams failed.

Status Code: 404.

Message: Email or User IDs Not Found.

List Scheduling Groups

Retrieves the list of scheduling groups by the specified team within a schedule.

READER NOTE

Team ID is a required parameter to run this command. 

  • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab 

b. Clicking the three bar menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to retrieve scheduling groups for. Team IDs can be obtained using the List Teams command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 2,
    "value": [
        {
            "@odata.etag": "\"*****\"",
            "id": "TAG_*****",
            "createdDateTime": "2023-03-15T20:18:05.634Z",
            "lastModifiedDateTime": "2023-03-15T20:22:06.62Z",
            "displayName": "Day Group",
            "isActive": true,
            "userIds": [
                "*****",
                "*****"
            ],
            "lastModifiedBy": {
                "application": null,
                "device": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            }
        },
        {
            "@odata.etag": "\"*****\"",
            "id": "TAG_*****",
            "createdDateTime": "2023-03-16T00:48:02.119Z",
            "lastModifiedDateTime": "2023-03-16T17:09:21.812Z",
            "displayName": "groupABC",
            "isActive": true,
            "userIds": [
                "*****",
                "*****"
            ],
            "lastModifiedBy": {
                "application": null,
                "device": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupIDs": "\"[\\\"TAG_*****\\\", \\\"TAG_*****\\\"]\"",
    "GroupNames": "\"[\\\"Day Group\\\", \\\"groupABC\\\"]\"",
    "IsActive": "\"[true, true]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Scheduling Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the team was not found, or you may not have access to it.

Error Sample Data

List Scheduling Groups failed.

Status Code: 404.

Message: Sorry, the team was not found, or you may not have access to it.

List Shifts

Retrieves the list of shift instances in a schedule.

READER NOTE

  • When using the Client Credentials authentication type, the Act As Admin Account parameter is required to run this command.

    • If the input Act As Admin Account parameter is not an admin account, then only shared shifts can be listed. If you are using an admin account or the Authorization Code authentication type, both shared and draft shifts will be returned.

    • You can distinguish whether shifts are draft or shared versions within Microsoft Teams. Shifts with the star symbol are not shared and won't be listed here.

    • When creating shifts using the Create Shift command, the Shift Version parameter can be used to define the shared or draft version of the shift.

  • Team ID is a required parameter to run this command. 

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab 

b. Clicking the three bar menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to retrieve scheduled shifts for. Team IDs can be obtained using the List Teams command.

*****

Shared Shift Start Time

Optional

The start time of the shifts to retrieve in UTC time.

2023-03-11 00:00

Shared Shift End Time

Optional

The end time of the shifts to retrieve in UTC time.

2023-03-18 00:00

Act As Admin Account

Optional

The email address of the admin account to use to get the draft version of the shared shift. Note: when using the Client Credentials authentication type, this parameter is required.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 2,
    "value": [
        {
            "@odata.etag": "\"*****\"",
            "id": "SHFT_*****",
            "createdDateTime": "2023-03-15T20:05:59.788Z",
            "lastModifiedDateTime": "2023-03-15T22:43:54.025Z",
            "schedulingGroupId": null,
            "userId": "*****",
            "draftShift": null,
            "lastModifiedBy": {
                "application": null,
                "device": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            },
            "sharedShift": {
                "displayName": "Day shift123 - shared",
                "startDateTime": "2023-03-15T15:00:00Z",
                "endDateTime": "2023-03-16T00:00:00Z",
                "theme": "blue",
                "notes": "Please do inventory as part of your shift.",
                "activities": [
                    {
                        "isPaid": true,
                        "startDateTime": "2023-03-15T15:00:00Z",
                        "endDateTime": "2023-03-15T15:15:00Z",
                        "code": "",
                        "displayName": "Lunch",
                        "theme": "white"
                    }
                ]
            }
        },
        {
            "@odata.etag": "\"*****\"",
            "id": "SHFT_*****",
            "createdDateTime": "2023-03-15T23:55:51.741Z",
            "lastModifiedDateTime": "2023-03-15T23:55:51.741Z",
            "schedulingGroupId": "TAG_*****",
            "userId": "*****",
            "draftShift": null,
            "lastModifiedBy": {
                "application": null,
                "device": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            },
            "sharedShift": {
                "displayName": "*****",
                "startDateTime": "2023-03-15T15:00:00Z",
                "endDateTime": "2023-03-16T00:00:00Z",
                "theme": "blue",
                "notes": "Please do inventory as part of your shift.",
                "activities": [
                    {
                        "isPaid": true,
                        "startDateTime": "2023-03-15T15:00:00Z",
                        "endDateTime": "2023-03-15T15:15:00Z",
                        "code": "",
                        "displayName": "Lunch",
                        "theme": "white"
                    }
                ]
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ShiftIDs": "\"[ \\\"SHFT_*****\\\", \\\"SHFT_*****\\\" ]\"",
    "UserIDs": "\"[ \\\"*****\\\", \\\"*****\\\" ]\"",
    "SchedulingGroupIDs": "\"[ \\\"None\\\",\\\"TAG_*****\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.count

2

value

  • {'@odata.etag': '"*****"', 'id': 'SHFT_*****', 'createdDateTime': '2023-03-15T20:05:59.788Z', 'lastModifiedDateTime': '2023-03-15T22:43:54.025Z', 'schedulingGroupId': None, 'userId': '*****', 'draftShift': None, 'lastModifiedBy': {'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}, 'sharedShift': {'displayName': 'Day shift123 - shared', 'startDateTime': '2023-03-15T15:00:00Z', 'endDateTime': '2023-03-16T00:00:00Z', 'theme': 'blue', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-15T15:00:00Z', 'endDateTime': '2023-03-15T15:15:00Z', 'code': '', 'displayName': 'Lunch', 'theme': 'white'}]}}

  • {'@odata.etag': '"*****"', 'id': 'SHFT_*****', 'createdDateTime': '2023-03-15T23:55:51.741Z', 'lastModifiedDateTime': '2023-03-15T23:55:51.741Z', 'schedulingGroupId': 'TAG_*****', 'userId': '*****', 'draftShift': None, 'lastModifiedBy': {'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}, 'sharedShift': {'displayName': '*****', 'startDateTime': '2023-03-15T15:00:00Z', 'endDateTime': '2023-03-16T00:00:00Z', 'theme': 'blue', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-15T15:00:00Z', 'endDateTime': '2023-03-15T15:15:00Z', 'code': '', 'displayName': 'Lunch', 'theme': 'white'}]}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Shifts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the team was not found, or you may not have access to it.

Error Sample Data

List Shifts failed.

Status Code: 404.

Message: Sorry, the team was not found, or you may not have access to it.

List Team Members

Retrieves a list of members of the specified team.

READER NOTE

Team ID is a required parameter to run this command. 

  • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id.

  • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab 

b. Clicking the three bar menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to retrieve members from. Team IDs can be obtained using the List Teams command.

*****

User Name Or Email

Optional

The user display name or email to filter team members by. If this parameter is not defined, all members of the specified team will be returned.

*****@*****.*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/*****",
    "@odata.count": 1,
    "value": [
        {
            "@odata.type": "#microsoft.graph.aadUserConversationMember",
            "id": "*****
            "roles": [
                "owner"
            ],
            "displayName": "*****",
            "visibleHistoryStartDateTime": "0001-01-01T00:00:00Z",
            "userId": "*****",
            "email": "*****@*****.*****.com",
            "tenantId": "*****"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[ \\\"*****\\\" ]\"",
    "UserNames": "\"[ \\\"*****\\\" ]\"",
    "UserEmails": "\"[ \\\"*****@*****.*****.com\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/*****

@odata.count

1

value

  • {'@odata.type': '#microsoft.graph.aadUserConversationMember', 'id': '*****', 'roles': ['owner'], 'displayName': '*****', 'visibleHistoryStartDateTime': '0001-01-01T00:00:00Z', 'userId': '*****', 'email': '*****@*****.*****.com', 'tenantId': '*****'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Team Members failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: teamId needs to be a valid GUID.

Error Sample Data

List Team Members failed.

Status Code: 400.

Message: teamId needs to be a valid GUID.

List Teams

Retrieves a list of all existing teams in Microsoft Teams.

READER NOTE

When inputting Team Names, the full name must be entered otherwise success with no result will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Team Names

Optional

The name(s) of the team(s) to retrieve.

[

"*****",

"*****"

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "value": [
        {
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2023-03-15T19:34:58Z",
            "creationOptions": [
                "Team",
                "ExchangeProvisioningFlags:3552"
            ],
            "description": "My Sample Team's Description",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "isAssignableToRole": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "My315Team",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "smtp:*****@*****.*****.com",
                "SMTP:*****@*****.com"
            ],
            "renewedDateTime": "2023-03-15T19:34:58Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****",
            "theme": null,
            "visibility": "Public",
            "onPremisesProvisioningErrors": []
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TeamIDs": "\"[\\\"*****\\\"]\"",
    "TeamNames": "\"[ \\\"*****\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

value

  • {'id': '*****', 'deletedDateTime': None, 'classification': None, 'createdDateTime': '2023-03-15T19:34:58Z', 'creationOptions': ['Team', 'ExchangeProvisioningFlags:3552'], 'description': "My Sample Team's Description", 'displayName': '*****', 'expirationDateTime': None, 'groupTypes': ['Unified'], 'isAssignableToRole': None, 'mail': '*****@*****.com', 'mailEnabled': True, 'mailNickname': 'My315Team', 'membershipRule': None, 'membershipRuleProcessingState': None, 'onPremisesDomainName': None, 'onPremisesLastSyncDateTime': None, 'onPremisesNetBiosName': None, 'onPremisesSamAccountName': None, 'onPremisesSecurityIdentifier': None, 'onPremisesSyncEnabled': None, 'preferredDataLocation': None, 'preferredLanguage': None, 'proxyAddresses': ['smtp:*****@*****.*****.com', 'SMTP:*****@*****.com'], 'renewedDateTime': '2023-03-15T19:34:58Z', 'resourceBehaviorOptions': ['HideGroupInOutlook', 'SubscribeMembersToCalendarEventsDisabled', 'WelcomeEmailDisabled'], 'resourceProvisioningOptions': ['Team'], 'securityEnabled': False, 'securityIdentifier': '*****', 'theme': None, 'visibility': 'Public', 'onPremisesProvisioningErrors': []}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Teams failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

List Teams failed.

Status Code: 400.

Message: unauthorized_client.

List Teams (Deprecated)

Retrieves a list of all existing teams in Microsoft Teams.

READER NOTE

This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/*****",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2020-12-11T21:55:30Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "D3DevCyber",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "****@*****.*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SMTP:****@*****.*****.com",
                "SPO:SPO_*****"
            ],
            "renewedDateTime": "2020-12-11T21:55:30Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****",
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-17T01:44:01Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "My Sample Team’s Description",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-17T01:44:01Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-17T01:43:54Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "My Sample Team’s Description",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "MySampleTeam1",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-17T01:43:54Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-22T19:00:52Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "*****",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:*****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-22T19:00:52Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****",
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/*****",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2020-12-11T21:55:30Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "D3DevCyber",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "****@*****.*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SMTP:****@*****.*****.com",
                "SPO:SPO_*****"
            ],
            "renewedDateTime": "2020-12-11T21:55:30Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****",
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-17T01:44:01Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "My Sample Team’s Description",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-17T01:44:01Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-17T01:43:54Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "My Sample Team’s Description",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "MySampleTeam1",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-17T01:43:54Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2021-04-22T19:00:52Z",
            "createdByAppId": "*****",
            "organizationId": "*****",
            "description": "*****",
            "displayName": "*****",
            "expirationDateTime": null,
            "groupTypes": [
                "Unified"
            ],
            "infoCatalogs": [],
            "isAssignableToRole": null,
            "isManagementRestricted": null,
            "mail": "*****@*****.com",
            "mailEnabled": true,
            "mailNickname": "*****",
            "membershipRule": null,
            "membershipRuleProcessingState": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [
                "SPO:SPO_*****",
                "SMTP:*****@*****.com",
                "smtp:*****@*****.*****.com"
            ],
            "renewedDateTime": "2021-04-22T19:00:52Z",
            "resourceBehaviorOptions": [
                "HideGroupInOutlook",
                "SubscribeMembersToCalendarEventsDisabled",
                "WelcomeEmailDisabled"
            ],
            "resourceProvisioningOptions": [
                "Team"
            ],
            "securityEnabled": false,
            "securityIdentifier": "*****",
            "theme": null,
            "visibility": "Public",
            "writebackConfiguration": {
                "isEnabled": null,
                "onPremisesGroupType": null
            },
            "onPremisesProvisioningErrors": []
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TeamIDs": "\"[\\\"*****\\\",\\\"*****\\\",\\\"*****\\\",\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/*****

value

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";classification";: null,

    ";createdDateTime";: ";2020-12-11T21:55:30Z";,

    ";createdByAppId";: ";*****";,

    ";organizationId";: ";*****";,

    ";description";: ";D3DevCyber";,

    ";displayName";: ";*****";,

    ";expirationDateTime";: null,

    ";groupTypes";: [

    ";Unified";

    ],

    ";infoCatalogs";: [],

    ";isAssignableToRole";: null,

    ";isManagementRestricted";: null,

    ";mail";: ";****@*****.*****.com";,

    ";mailEnabled";: true,

    ";mailNickname";: ";*****";,

    ";membershipRule";: null,

    ";membershipRuleProcessingState";: null,

    ";onPremisesDomainName";: null,

    ";onPremisesLastSyncDateTime";: null,

    ";onPremisesNetBiosName";: null,

    ";onPremisesSamAccountName";: null,

    ";onPremisesSecurityIdentifier";: null,

    ";onPremisesSyncEnabled";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [

    ";SMTP:****@*****.*****.com";,

    ";SPO:SPO_*****";

    ],

    ";renewedDateTime";: ";2020-12-11T21:55:30Z";,

    ";resourceBehaviorOptions";: [

    ";HideGroupInOutlook";,

    ";SubscribeMembersToCalendarEventsDisabled";,

    ";WelcomeEmailDisabled";

    ],

    ";resourceProvisioningOptions";: [

    ";Team";

    ],

    ";securityEnabled";: false,

    ";securityIdentifier";: ";*****";,

    ";theme";: null,

    ";visibility";: ";Public";,

    ";writebackConfiguration";: {

    ";isEnabled";: null,

    ";onPremisesGroupType";: null

    },

    ";onPremisesProvisioningErrors";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";classification";: null,

    ";createdDateTime";: ";2021-04-17T01:44:01Z";,

    ";createdByAppId";: ";*****";,

    ";organizationId";: ";*****";,

    ";description";: ";My Sample Team’s Description";,

    ";displayName";: ";*****";,

    ";expirationDateTime";: null,

    ";groupTypes";: [

    ";Unified";

    ],

    ";infoCatalogs";: [],

    ";isAssignableToRole";: null,

    ";isManagementRestricted";: null,

    ";mail";: ";*****@*****.com";,

    ";mailEnabled";: true,

    ";mailNickname";: ";*****";,

    ";membershipRule";: null,

    ";membershipRuleProcessingState";: null,

    ";onPremisesDomainName";: null,

    ";onPremisesLastSyncDateTime";: null,

    ";onPremisesNetBiosName";: null,

    ";onPremisesSamAccountName";: null,

    ";onPremisesSecurityIdentifier";: null,

    ";onPremisesSyncEnabled";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [

    ";SPO:SPO_*****";,

    ";SMTP:*****@*****.com";,

    ";smtp:****@*****.*****.com";

    ],

    ";renewedDateTime";: ";2021-04-17T01:44:01Z";,

    ";resourceBehaviorOptions";: [

    ";HideGroupInOutlook";,

    ";SubscribeMembersToCalendarEventsDisabled";,

    ";WelcomeEmailDisabled";

    ],

    ";resourceProvisioningOptions";: [

    ";Team";

    ],

    ";securityEnabled";: false,

    ";securityIdentifier";: ";*****";,

    ";theme";: null,

    ";visibility";: ";Public";,

    ";writebackConfiguration";: {

    ";isEnabled";: null,

    ";onPremisesGroupType";: null

    },

    ";onPremisesProvisioningErrors";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";classification";: null,

    ";createdDateTime";: ";2021-04-17T01:43:54Z";,

    ";createdByAppId";: ";*****";,

    ";organizationId";: ";*****";,

    ";description";: ";My Sample Team’s Description";,

    ";displayName";: ";*****";,

    ";expirationDateTime";: null,

    ";groupTypes";: [

    ";Unified";

    ],

    ";infoCatalogs";: [],

    ";isAssignableToRole";: null,

    ";isManagementRestricted";: null,

    ";mail";: ";*****@*****.com";,

    ";mailEnabled";: true,

    ";mailNickname";: ";MySampleTeam1";,

    ";membershipRule";: null,

    ";membershipRuleProcessingState";: null,

    ";onPremisesDomainName";: null,

    ";onPremisesLastSyncDateTime";: null,

    ";onPremisesNetBiosName";: null,

    ";onPremisesSamAccountName";: null,

    ";onPremisesSecurityIdentifier";: null,

    ";onPremisesSyncEnabled";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [

    ";SPO:SPO_*****";,

    ";SMTP:*****@*****.com";,

    ";smtp:****@*****.*****.com";

    ],

    ";renewedDateTime";: ";2021-04-17T01:43:54Z";,

    ";resourceBehaviorOptions";: [

    ";HideGroupInOutlook";,

    ";SubscribeMembersToCalendarEventsDisabled";,

    ";WelcomeEmailDisabled";

    ],

    ";resourceProvisioningOptions";: [

    ";Team";

    ],

    ";securityEnabled";: false,

    ";securityIdentifier";: ";*****";,

    ";theme";: null,

    ";visibility";: ";Public";,

    ";writebackConfiguration";: {

    ";isEnabled";: null,

    ";onPremisesGroupType";: null

    },

    ";onPremisesProvisioningErrors";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";classification";: null,

    ";createdDateTime";: ";2021-04-22T19:00:52Z";,

    ";createdByAppId";: ";*****";,

    ";organizationId";: ";*****";,

    ";description";: ";*****";,

    ";displayName";: ";*****";,

    ";expirationDateTime";: null,

    ";groupTypes";: [

    ";Unified";

    ],

    ";infoCatalogs";: [],

    ";isAssignableToRole";: null,

    ";isManagementRestricted";: null,

    ";mail";: ";*****@*****.com";,

    ";mailEnabled";: true,

    ";mailNickname";: ";*****";,

    ";membershipRule";: null,

    ";membershipRuleProcessingState";: null,

    ";onPremisesDomainName";: null,

    ";onPremisesLastSyncDateTime";: null,

    ";onPremisesNetBiosName";: null,

    ";onPremisesSamAccountName";: null,

    ";onPremisesSecurityIdentifier";: null,

    ";onPremisesSyncEnabled";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [

    ";SPO:SPO_*****";,

    ";SMTP:*****@*****.com";,

    ";smtp:*****@*****.*****.com";

    ],

    ";renewedDateTime";: ";2021-04-22T19:00:52Z";,

    ";resourceBehaviorOptions";: [

    ";HideGroupInOutlook";,

    ";SubscribeMembersToCalendarEventsDisabled";,

    ";WelcomeEmailDisabled";

    ],

    ";resourceProvisioningOptions";: [

    ";Team";

    ],

    ";securityEnabled";: false,

    ";securityIdentifier";: ";*****";,

    ";theme";: null,

    ";visibility";: ";Public";,

    ";writebackConfiguration";: {

    ";isEnabled";: null,

    ";onPremisesGroupType";: null

    },

    ";onPremisesProvisioningErrors";: []

    }

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Teams failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

List Teams failed.

Status Code: 400.

Message: unauthorized_client.

List Team Tags

Retrieves a list of all existing Tag Groups in the specified team.

READER NOTE

Team ID or Team Name is a required parameter to run this command.

  • Run the List Teams command to obtain Team ID or Team Name. Team IDs can be found at the path $.value[*].id. Team Name can be found at the path $.value[*].displayName.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team ID or Team Name

Required

The ID of the team that the channel belongs to. Team IDs and Team Names can be obtained using the List Teams command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 2,
    "value": [
        {
            "id": "*****",
            "teamId": "*****",
            "displayName": "*****",
            "description": null,
            "memberCount": 2,
            "tagType": "standard"
        },
        {
            "id": "*****",
            "teamId": "*****",
            "displayName": "*****",
            "description": null,
            "memberCount": 1,
            "tagType": "standard"
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.count": 2,
    "value": [
        {
            "id": "*****",
            "teamId": "*****",
            "displayName": "*****",
            "description": null,
            "memberCount": 2,
            "tagType": "standard"
        },
        {
            "id": "*****",
            "teamId": "*****",
            "displayName": "*****",
            "description": null,
            "memberCount": 1,
            "tagType": "standard"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagIDs": "\"[\\\"*****\\\",\\r\\n        \\\"*****\\\"]\"",
    "TagsGroupNames": "\"[\\\"d3support\\\",\\\"*****\\\"]\"",
    "MembersCounts": "\"[2,1]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/***

@odata.count

10

value

  • {

    "id": "*****@*****.***",

    "createdDateTime": "2020-12-11T21:55:34.03Z",

    "displayName": "*****",

    "description": "D3DevCyber",

    "isFavoriteByDefault": null,

    "email": "",

    "webUrl": "https://teams.microsoft.com/l/*****",

    "membershipType": "standard",

    "moderationSettings": null

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-04-07T17:26:19.833Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": false,

    "email": "",

    "webUrl": "https://teams.microsoft.com/***",

    "membershipType": "standard",

    "moderationSettings": {

    "userNewMessageRestriction": "everyone",

    "replyRestriction": "everyone",

    "allowNewMessageFromBots": true,

    "allowNewMessageFromConnectors": true

    }

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-09-20T23:29:08.731Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": false,

    "email": "",

    "webUrl": "https://teams.microsoft.com/*****

    "membershipType": "standard",

    "moderationSettings": {

    "userNewMessageRestriction": "everyone",

    "replyRestriction": "everyone",

    "allowNewMessageFromBots": true,

    "allowNewMessageFromConnectors": true

    }

    }

  • {

    "id": "*****",

    "createdDateTime": "2021-04-07T17:08:53.571Z",

    "displayName": "*****",

    "description": null,

    "isFavoriteByDefault": null,

    "email": "",

    "webUrl": "https://teams.microsoft.com/*****",

    "membershipType": "private",

    "moderationSettings": null

    }

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Team Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: does not exist.

Error Sample Data

List Team Tags failed.

Status Code: 404.

Message: does not exist.

List Users

Retrieves a list of all users in Microsoft Teams.

READER NOTE

This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h ofConfiguring D3 SOAR to Work with Microsoft Teams for connection configuration instructions.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/*****",
    "@odata.nextLink": "https://graph.microsoft.com/*****",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****,
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T07:46:05Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "*****",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "***",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=1,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:25:22Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:25:22Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "***",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "10",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=10,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-09-22T23:05:24Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "***@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-09-22T22:30:21Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-09-22T22:30:21Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "***@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "***@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "11",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "11",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "11",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=11,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "11",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:32:00Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:32:00Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "***",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "***",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=12,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:38:44Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:38:44Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@*****.*****.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@*****.*****.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/*****",
    "@odata.nextLink": "https://graph.microsoft.com/*****",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****,
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T07:46:05Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "*****",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "***",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=1,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:25:22Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:25:22Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "***",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "10",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=10,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-09-22T23:05:24Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "***@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-09-22T22:30:21Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-09-22T22:30:21Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "***@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "***@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "11",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "11",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "11",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=11,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "11",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:32:00Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:32:00Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@***.***.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@***.***.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        },
        {
            "@odata.id": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "deletedDateTime": null,
            "accountEnabled": true,
            "ageGroup": null,
            "businessPhones": [],
            "city": null,
            "createdDateTime": "2021-06-02T06:46:12Z",
            "creationType": null,
            "companyName": null,
            "consentProvidedForMinor": null,
            "country": null,
            "department": null,
            "displayName": "***",
            "employeeId": null,
            "employeeHireDate": null,
            "employeeType": null,
            "faxNumber": null,
            "givenName": "***",
            "imAddresses": [],
            "infoCatalogs": [],
            "isManagementRestricted": null,
            "isResourceAccount": null,
            "jobTitle": null,
            "legalAgeGroupClassification": null,
            "mail": null,
            "mailNickname": "***",
            "mobilePhone": null,
            "onPremisesDistinguishedName": "CN=12,CN=Users,DC=d3cyberlab,DC=local",
            "officeLocation": null,
            "onPremisesDomainName": "***.***",
            "onPremisesImmutableId": "*****",
            "onPremisesLastSyncDateTime": "2021-06-16T20:27:47Z",
            "onPremisesSecurityIdentifier": "*****",
            "onPremisesSamAccountName": "***",
            "onPremisesSyncEnabled": true,
            "onPremisesUserPrincipalName": "*****@***.***",
            "otherMails": [],
            "passwordPolicies": "DisablePasswordExpiration",
            "postalCode": null,
            "preferredDataLocation": null,
            "preferredLanguage": null,
            "proxyAddresses": [],
            "refreshTokensValidFromDateTime": "2021-01-12T02:38:44Z",
            "showInAddressList": null,
            "signInSessionsValidFromDateTime": "2021-01-12T02:38:44Z",
            "state": null,
            "streetAddress": null,
            "surname": null,
            "usageLocation": null,
            "userPrincipalName": "*****@*****.*****.com",
            "externalUserState": null,
            "externalUserStateChangeDateTime": null,
            "userType": "Member",
            "employeeOrgData": null,
            "passwordProfile": null,
            "assignedLicenses": [],
            "assignedPlans": [],
            "deviceKeys": [],
            "identities": [
                {
                    "signInType": "userPrincipalName",
                    "issuer": "*****@*****.*****.com",
                    "issuerAssignedId": "*****@*****.*****.com"
                }
            ],
            "onPremisesExtensionAttributes": {
                "extensionAttribute1": null,
                "extensionAttribute2": null,
                "extensionAttribute3": null,
                "extensionAttribute4": null,
                "extensionAttribute5": null,
                "extensionAttribute6": null,
                "extensionAttribute7": null,
                "extensionAttribute8": null,
                "extensionAttribute9": null,
                "extensionAttribute10": null,
                "extensionAttribute11": null,
                "extensionAttribute12": null,
                "extensionAttribute13": null,
                "extensionAttribute14": null,
                "extensionAttribute15": null
            },
            "onPremisesProvisioningErrors": [],
            "provisionedPlans": []
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "UserIDs": "\"[\\\"*****\\\",\\\"*****\\\",\\\"*****\\\",\\\"*****\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/*****

@odata.nextLink

https://graph.microsoft.com/*****

value

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****;,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";accountEnabled";: true,

    ";ageGroup";: null,

    ";businessPhones";: [],

    ";city";: null,

    ";createdDateTime";: ";2021-06-02T07:46:05Z";,

    ";creationType";: null,

    ";companyName";: null,

    ";consentProvidedForMinor";: null,

    ";country";: null,

    ";department";: null,

    ";displayName";: ";***";,

    ";employeeId";: null,

    ";employeeHireDate";: null,

    ";employeeType";: null,

    ";faxNumber";: null,

    ";givenName";: ";***";,

    ";imAddresses";: [],

    ";infoCatalogs";: [],

    ";isManagementRestricted";: null,

    ";isResourceAccount";: null,

    ";jobTitle";: null,

    ";legalAgeGroupClassification";: null,

    ";mail";: null,

    ";mailNickname";: ";***";,

    ";mobilePhone";: null,

    ";onPremisesDistinguishedName";: ";CN=1,CN=Users,DC=d3cyberlab,DC=local";,

    ";officeLocation";: null,

    ";onPremisesDomainName";: ";***.***";,

    ";onPremisesImmutableId";: ";*****";,

    ";onPremisesLastSyncDateTime";: ";2021-06-16T20:27:47Z";,

    ";onPremisesSecurityIdentifier";: ";*****";,

    ";onPremisesSamAccountName";: ";1";,

    ";onPremisesSyncEnabled";: true,

    ";onPremisesUserPrincipalName";: ";*****@***.***";,

    ";otherMails";: [],

    ";passwordPolicies";: ";DisablePasswordExpiration";,

    ";postalCode";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [],

    ";refreshTokensValidFromDateTime";: ";2021-01-12T02:25:22Z";,

    ";showInAddressList";: null,

    ";signInSessionsValidFromDateTime";: ";2021-01-12T02:25:22Z";,

    ";state";: null,

    ";streetAddress";: null,

    ";surname";: null,

    ";usageLocation";: null,

    ";userPrincipalName";: ";*****@***.***.com";,

    ";externalUserState";: null,

    ";externalUserStateChangeDateTime";: null,

    ";userType";: ";Member";,

    ";employeeOrgData";: null,

    ";passwordProfile";: null,

    ";assignedLicenses";: [],

    ";assignedPlans";: [],

    ";deviceKeys";: [],

    ";identities";: [

    {

    ";signInType";: ";userPrincipalName";,

    ";issuer";: ";*****@*****.*****.com";,

    ";issuerAssignedId";: ";*****@***.***.com";

    }

    ],

    ";onPremisesExtensionAttributes";: {

    ";extensionAttribute1";: null,

    ";extensionAttribute2";: null,

    ";extensionAttribute3";: null,

    ";extensionAttribute4";: null,

    ";extensionAttribute5";: null,

    ";extensionAttribute6";: null,

    ";extensionAttribute7";: null,

    ";extensionAttribute8";: null,

    ";extensionAttribute9";: null,

    ";extensionAttribute10";: null,

    ";extensionAttribute11";: null,

    ";extensionAttribute12";: null,

    ";extensionAttribute13";: null,

    ";extensionAttribute14";: null,

    ";extensionAttribute15";: null

    },

    ";onPremisesProvisioningErrors";: [],

    ";provisionedPlans";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";accountEnabled";: true,

    ";ageGroup";: null,

    ";businessPhones";: [],

    ";city";: null,

    ";createdDateTime";: ";2021-06-02T06:46:12Z";,

    ";creationType";: null,

    ";companyName";: null,

    ";consentProvidedForMinor";: null,

    ";country";: null,

    ";department";: null,

    ";displayName";: ";***";,

    ";employeeId";: null,

    ";employeeHireDate";: null,

    ";employeeType";: null,

    ";faxNumber";: null,

    ";givenName";: ";***";,

    ";imAddresses";: [],

    ";infoCatalogs";: [],

    ";isManagementRestricted";: null,

    ";isResourceAccount";: null,

    ";jobTitle";: null,

    ";legalAgeGroupClassification";: null,

    ";mail";: null,

    ";mailNickname";: ";***";,

    ";mobilePhone";: null,

    ";onPremisesDistinguishedName";: ";CN=10,CN=Users,DC=d3cyberlab,DC=local";,

    ";officeLocation";: null,

    ";onPremisesDomainName";: ";***.***";,

    ";onPremisesImmutableId";: ";*****";,

    ";onPremisesLastSyncDateTime";: ";2021-09-22T23:05:24Z";,

    ";onPremisesSecurityIdentifier";: ";*****";,

    ";onPremisesSamAccountName";: ";10";,

    ";onPremisesSyncEnabled";: true,

    ";onPremisesUserPrincipalName";: ";***@***.***";,

    ";otherMails";: [],

    ";passwordPolicies";: ";DisablePasswordExpiration";,

    ";postalCode";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [],

    ";refreshTokensValidFromDateTime";: ";2021-09-22T22:30:21Z";,

    ";showInAddressList";: null,

    ";signInSessionsValidFromDateTime";: ";2021-09-22T22:30:21Z";,

    ";state";: null,

    ";streetAddress";: null,

    ";surname";: null,

    ";usageLocation";: null,

    ";userPrincipalName";: ";***@***.***.com";,

    ";externalUserState";: null,

    ";externalUserStateChangeDateTime";: null,

    ";userType";: ";Member";,

    ";employeeOrgData";: null,

    ";passwordProfile";: null,

    ";assignedLicenses";: [],

    ";assignedPlans";: [],

    ";deviceKeys";: [],

    ";identities";: [

    {

    ";signInType";: ";userPrincipalName";,

    ";issuer";: ";*****@*****.*****.com";,

    ";issuerAssignedId";: ";***@***.***.com";

    }

    ],

    ";onPremisesExtensionAttributes";: {

    ";extensionAttribute1";: null,

    ";extensionAttribute2";: null,

    ";extensionAttribute3";: null,

    ";extensionAttribute4";: null,

    ";extensionAttribute5";: null,

    ";extensionAttribute6";: null,

    ";extensionAttribute7";: null,

    ";extensionAttribute8";: null,

    ";extensionAttribute9";: null,

    ";extensionAttribute10";: null,

    ";extensionAttribute11";: null,

    ";extensionAttribute12";: null,

    ";extensionAttribute13";: null,

    ";extensionAttribute14";: null,

    ";extensionAttribute15";: null

    },

    ";onPremisesProvisioningErrors";: [],

    ";provisionedPlans";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";accountEnabled";: true,

    ";ageGroup";: null,

    ";businessPhones";: [],

    ";city";: null,

    ";createdDateTime";: ";2021-06-02T06:46:12Z";,

    ";creationType";: null,

    ";companyName";: null,

    ";consentProvidedForMinor";: null,

    ";country";: null,

    ";department";: null,

    ";displayName";: ";***";,

    ";employeeId";: null,

    ";employeeHireDate";: null,

    ";employeeType";: null,

    ";faxNumber";: null,

    ";givenName";: ";***";,

    ";imAddresses";: [],

    ";infoCatalogs";: [],

    ";isManagementRestricted";: null,

    ";isResourceAccount";: null,

    ";jobTitle";: null,

    ";legalAgeGroupClassification";: null,

    ";mail";: null,

    ";mailNickname";: ";***";,

    ";mobilePhone";: null,

    ";onPremisesDistinguishedName";: ";CN=11,CN=Users,DC=d3cyberlab,DC=local";,

    ";officeLocation";: null,

    ";onPremisesDomainName";: ";***.***";,

    ";onPremisesImmutableId";: ";*****";,

    ";onPremisesLastSyncDateTime";: ";2021-06-16T20:27:47Z";,

    ";onPremisesSecurityIdentifier";: ";*****";,

    ";onPremisesSamAccountName";: ";11";,

    ";onPremisesSyncEnabled";: true,

    ";onPremisesUserPrincipalName";: ";*****@***.***";,

    ";otherMails";: [],

    ";passwordPolicies";: ";DisablePasswordExpiration";,

    ";postalCode";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [],

    ";refreshTokensValidFromDateTime";: ";2021-01-12T02:32:00Z";,

    ";showInAddressList";: null,

    ";signInSessionsValidFromDateTime";: ";2021-01-12T02:32:00Z";,

    ";state";: null,

    ";streetAddress";: null,

    ";surname";: null,

    ";usageLocation";: null,

    ";userPrincipalName";: ";*****@***.***.com";,

    ";externalUserState";: null,

    ";externalUserStateChangeDateTime";: null,

    ";userType";: ";Member";,

    ";employeeOrgData";: null,

    ";passwordProfile";: null,

    ";assignedLicenses";: [],

    ";assignedPlans";: [],

    ";deviceKeys";: [],

    ";identities";: [

    {

    ";signInType";: ";userPrincipalName";,

    ";issuer";: ";*****@*****.*****.com";,

    ";issuerAssignedId";: ";*****@***.***.com";

    }

    ],

    ";onPremisesExtensionAttributes";: {

    ";extensionAttribute1";: null,

    ";extensionAttribute2";: null,

    ";extensionAttribute3";: null,

    ";extensionAttribute4";: null,

    ";extensionAttribute5";: null,

    ";extensionAttribute6";: null,

    ";extensionAttribute7";: null,

    ";extensionAttribute8";: null,

    ";extensionAttribute9";: null,

    ";extensionAttribute10";: null,

    ";extensionAttribute11";: null,

    ";extensionAttribute12";: null,

    ";extensionAttribute13";: null,

    ";extensionAttribute14";: null,

    ";extensionAttribute15";: null

    },

    ";onPremisesProvisioningErrors";: [],

    ";provisionedPlans";: []

    }

  • {

    ";@odata.id";: ";https://graph.microsoft.com/v***/*****";,

    ";id";: ";*****";,

    ";deletedDateTime";: null,

    ";accountEnabled";: true,

    ";ageGroup";: null,

    ";businessPhones";: [],

    ";city";: null,

    ";createdDateTime";: ";2021-06-02T06:46:12Z";,

    ";creationType";: null,

    ";companyName";: null,

    ";consentProvidedForMinor";: null,

    ";country";: null,

    ";department";: null,

    ";displayName";: ";***";,

    ";employeeId";: null,

    ";employeeHireDate";: null,

    ";employeeType";: null,

    ";faxNumber";: null,

    ";givenName";: ";***";,

    ";imAddresses";: [],

    ";infoCatalogs";: [],

    ";isManagementRestricted";: null,

    ";isResourceAccount";: null,

    ";jobTitle";: null,

    ";legalAgeGroupClassification";: null,

    ";mail";: null,

    ";mailNickname";: ";***";,

    ";mobilePhone";: null,

    ";onPremisesDistinguishedName";: ";CN=12,CN=Users,DC=d3cyberlab,DC=local";,

    ";officeLocation";: null,

    ";onPremisesDomainName";: ";***.***";,

    ";onPremisesImmutableId";: ";*****";,

    ";onPremisesLastSyncDateTime";: ";2021-06-16T20:27:47Z";,

    ";onPremisesSecurityIdentifier";: ";*****";,

    ";onPremisesSamAccountName";: ";***";,

    ";onPremisesSyncEnabled";: true,

    ";onPremisesUserPrincipalName";: ";*****@***.***";,

    ";otherMails";: [],

    ";passwordPolicies";: ";DisablePasswordExpiration";,

    ";postalCode";: null,

    ";preferredDataLocation";: null,

    ";preferredLanguage";: null,

    ";proxyAddresses";: [],

    ";refreshTokensValidFromDateTime";: ";2021-01-12T02:38:44Z";,

    ";showInAddressList";: null,

    ";signInSessionsValidFromDateTime";: ";2021-01-12T02:38:44Z";,

    ";state";: null,

    ";streetAddress";: null,

    ";surname";: null,

    ";usageLocation";: null,

    ";userPrincipalName";: ";*****@*****.*****.com";,

    ";externalUserState";: null,

    ";externalUserStateChangeDateTime";: null,

    ";userType";: ";Member";,

    ";employeeOrgData";: null,

    ";passwordProfile";: null,

    ";assignedLicenses";: [],

    ";assignedPlans";: [],

    ";deviceKeys";: [],

    ";identities";: [

    {

    ";signInType";: ";userPrincipalName";,

    ";issuer";: ";*****@*****.*****.com";,

    ";issuerAssignedId";: ";*****@*****.*****.com";

    }

    ],

    ";onPremisesExtensionAttributes";: {

    ";extensionAttribute1";: null,

    ";extensionAttribute2";: null,

    ";extensionAttribute3";: null,

    ";extensionAttribute4";: null,

    ";extensionAttribute5";: null,

    ";extensionAttribute6";: null,

    ";extensionAttribute7";: null,

    ";extensionAttribute8";: null,

    ";extensionAttribute9";: null,

    ";extensionAttribute10";: null,

    ";extensionAttribute11";: null,

    ";extensionAttribute12";: null,

    ";extensionAttribute13";: null,

    ";extensionAttribute14";: null,

    ";extensionAttribute15";: null

    },

    ";onPremisesProvisioningErrors";: [],

    ";provisionedPlans";: []

    }

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Users failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

List Users failed.

Status Code: 400.

Message: unauthorized_client.

Replace Shift

Replaces an existing shift. Note: only accounts with admin permissions can replace a shift.

READER NOTE

  • Team ID and User Email are required parameters to run this command. 

    • Run the List Teams command to obtain Team IDs. Team IDs can be found from the returned raw data at the path $.value[*].id

    • To run this command, the team associated with the input Team ID must be available to assign to the created or replaced schedule. Only teams that have an existing schedule will be listed in the All Schedules tab. You can see what teams are available to schedule in Microsoft Teams by:

a. Navigating to the Shifts tab 

b. Clicking the three bar menu button at the top and either selecting the desired schedule to be replaced or clicking + New schedule

c. Viewing the teams that appear

    • The input User Email must match the input group. Run the List Teams first to obtain the desired Team ID, then use that Team ID to run the List Team Members command. User Email can be obtained from the returned raw data at the path $.value[*].email. Use these values to run this command. Please note that some team members may not have a valid email to input for this command (the returned raw data at the path $.value[*].email for the user is "null"). Those users cannot be used to replace shifts.

  • Scheduling Group ID is an optional parameter to run this command. 

    • Run the List Scheduling Groups command to obtain Scheduling Group IDs. Scheduling Group IDs can be found from the returned raw data at the path $[*].value.id.

    • The Team ID and Scheduling Group ID must match if defining the Scheduling Group ID parameter. You can run the List Teams command first to obtain the desired Team ID, then use that Team ID to run the List Scheduling Groups command to obtain the desired Scheduling Group ID. Use both values to run this command.

  • The Act As Admin Account parameter is required when using the Client Credentials authentication type.

  • Ensure to schedule adequate time when running this command in order to avoid overlapping shifts.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team to replace a scheduled shift for. Team IDs can be obtained using the List Teams command.

*****

Shift ID

Required

The ID of the shift to replace. Shift IDs can be obtained using the List Shifts command.

SHFT_*****

User Email

Required

The email address of the user who takes the shift. The user must be a member of the specified team. User Email can be obtained using the List Team Members command.

*****@*****.*****.com

Act As Admin Account

Optional

The email address of the admin account to use to replace the shift. Note: when using the Client Credentials authentication type, this parameter is required to run this command. The account used must have admin permissions in order to replace a shift.

*****@*****.*****.com

Scheduling Group ID

Optional

The ID of the Scheduling Group for which the shift will be replaced. Scheduling Group IDs can be obtained using the List Scheduling Groups command. If this parameter is not defined, the shift will be replaced to Other.

TAG_*****

Shift Version

Required

The version of the shift to be created. The available versions are Shared Shift or Draft Shift.

Shared Shift

Shift Name

Required

The name for the shift to replace the original shift name. Note: the shift name cannot be longer than 30 characters.

*****

Notes

Optional

The notes to be added to the shift, or to replace if previous notes existed.

Please do inventory as part of your shift.

Shift Start Time

Required

The replacement shift start date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.

2023-03-19 15:00

Shift End Time

Required

The replacement shift end date time in UTC time. Note: the duration of a shift (the time range between shift start time and shift end time) cannot be less than 1 minute or longer than 24 hours.

2023-03-20 00:00

Shift Activities

Optional

Daily activities or any additional breaks to be tracked with this shift. Note: in each activity object, displayName and startDateTime/endDateTime are required fields. The remaining fields are optional. StartDateTime and endDateTime are in UTC time and must be within the bounds of the shift.

[

{

"isPaid": true,

"startDateTime": "2023-03-19T18:00:00Z",

"endDateTime": "2023-03-19T18:45:00Z",

"code": "LT",

"displayName": "Lunch Time",

"theme": "blue"

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "@odata.etag": "\"*****\"",
    "id": "SHFT_*****",
    "createdDateTime": "2023-03-16T19:12:25.805Z",
    "lastModifiedDateTime": "2023-03-16T19:34:50.215Z",
    "schedulingGroupId": "TAG_*****",
    "userId": "*****",
    "draftShift": null,
    "lastModifiedBy": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    },
    "sharedShift": {
        "displayName": "*****",
        "startDateTime": "2023-03-19T15:00:00Z",
        "endDateTime": "2023-03-20T00:00:00Z",
        "theme": "blue",
        "notes": "Please do inventory as part of your shift.",
        "activities": [
            {
                "isPaid": true,
                "startDateTime": "2023-03-19T18:00:00Z",
                "endDateTime": "2023-03-19T18:45:00Z",
                "code": "LT",
                "displayName": "Lunch Time",
                "theme": "blue"
            }
        ]
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ShiftID": "\"SHFT_*****\"",
    "UserID": "\"*****\"",
    "SchedulingGroupID": "\"TAG_*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/v*.*/***

@odata.etag

"*****"

id

SHFT_*****

createdDateTime

2023-03-16T19:12:25.805Z

lastModifiedDateTime

2023-03-16T19:34:50.215Z

schedulingGroupId

TAG_*****

userId

*****

draftShift

None

lastModifiedBy

{'application': None, 'device': None, 'user': {'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}

sharedShift

{'displayName': '*****', 'startDateTime': '2023-03-19T15:00:00Z', 'endDateTime': '2023-03-20T00:00:00Z', 'theme': 'blue', 'notes': 'Please do inventory as part of your shift.', 'activities': [{'isPaid': True, 'startDateTime': '2023-03-19T18:00:00Z', 'endDateTime': '2023-03-19T18:45:00Z', 'code': 'LT', 'displayName': 'Lunch Time', 'theme': 'blue'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Replace Shift failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Sorry, the position was not found and may have been deleted.

Error Sample Data

Replace Shift failed.

Status Code: 400.

Message: Sorry, the position was not found and may have been deleted.

Send Chat Message

Sends a new message to the specified user(s). Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

File ID and File Source

It is not recommended to use the Test Command feature with the Submit Sample Files command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. In D3 SOAR, navigate to Configuration on the top bar menu.

  2. Click Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Select the Test tab, then input the required information for the parameters. Click Test Command.

A D3 File ID will appear in the output data after the file has been successfully created.

(Note: The D3 File Source of the created file will be Playbook File)

READER NOTE

This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

Input

Input Parameter

Required/Optional

Description

Example

Caller Principle Name

Required

The principle name of the chat caller. Please note, caller principal name must be the user who granted API access.

*****@*****.*****.com

Target Users

Required

The principal name(s) of the target user(s) to whom the chat message will be sent.

[

"*****@*****.com"

]

Send HTML Message

Optional

The option to set the message type to HTML. The default option is False.

True

Message

Optional

The contents of the message to send.

<p><b>Hello World in BOLD.</b></p>

File IDs

Optional

The file IDs to be sent to chat as attachment according to file source. Please note, attachment file sizes cannot exceed 4MB.

[

10097

]

File Source

Optional

The file source of the file to send. The options for file sources are:

Incident Attachment File: Manually uploaded file from Incident

Playbook File: Output from another Task

Artifact File: Ingested Artifact in an Event

If not specified, the default file source is Playbook File.

Playbook File

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "targetUser": "*****@*****.com",
            "@odata.context": "https://graph.microsoft.com/v***/*****",
            "id": "*****",
            "replyToId": null,
            "etag": "*****",
            "messageType": "message",
            "createdDateTime": "2023-05-30T02:22:22.534Z",
            "lastModifiedDateTime": "2023-05-30T02:22:22.534Z",
            "lastEditedDateTime": null,
            "deletedDateTime": null,
            "subject": null,
            "summary": null,
            "chatId": "*****@*****.*****.***",
            "importance": "normal",
            "locale": "en-us",
            "webUrl": null,
            "channelIdentity": null,
            "policyViolation": null,
            "eventDetail": null,
            "from": {
                "application": null,
                "device": null,
                "user": {
                    "@odata.type": "#microsoft.graph.teamworkUserIdentity",
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            },
            "body": {
                "contentType": "html",
                "content": "@ Hello World Blue Jay in BOLD 2023-05-30T02:21:26.129Z.  "
            },
            "attachments": [
                {
                    "id": "*****",
                    "contentType": "reference",
                    "contentUrl": "https://*****.com/***",
                    "content": null,
                    "name": "bluejay1.png",
                    "thumbnailUrl": null,
                    "teamsAppId": null
                }
            ],
            "mentions": [],
            "reactions": []
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageID": "\"[ \\\"*****\\\" ]\"",
    "targetUsers": "\"[ \\\"*****@*****.com\\\" ]\"",
    "ChatIDs": "\"[ \\\"*****@*****.*****.***\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

results

  • {'targetUser': '*****@*****.com', '@odata.context': "https://graph.microsoft.com/v***/*****", 'id': '*****', 'replyToId': None, 'etag': '*****', 'messageType': 'message', 'createdDateTime': '2023-05-30T02:22:22.534Z', 'lastModifiedDateTime': '2023-05-30T02:22:22.534Z', 'lastEditedDateTime': None, 'deletedDateTime': None, 'subject': None, 'summary': None, 'chatId': '*****@*****.*****.***', 'importance': 'normal', 'locale': 'en-us', 'webUrl': None, 'channelIdentity': None, 'policyViolation': None, 'eventDetail': None, 'from': {'application': None, 'device': None, 'user': {'@odata.type': '#microsoft.graph.teamworkUserIdentity', 'id': '*****', 'displayName': '*****', 'userIdentityType': 'aadUser'}}, 'body': {'contentType': 'html', 'content': '

    @

    Hello World Blue Jay in BOLD 2023-05-30T02:21:26.129Z.

    '}, 'attachments': [{'id': '*****', 'contentType': 'reference', 'contentUrl': '*****@*****.com/***', 'content': None, 'name': 'bluejay1.png', 'thumbnailUrl': None, 'teamsAppId': None}], 'mentions': [], 'reactions': []}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Chat Message failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The caller must be one of the members specified in request body.

Error Sample Data

Send Chat Message failed.

Status Code: 400.

Message: The caller must be one of the members specified in request body.

Send Message

Sends a message in the specified channel in Microsoft Teams. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID and Channel ID or Channel Name are required parameters to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in thePermission Requirements. See Grant Type: Authorization Code inConfiguring D3 SOAR to Work with Microsoft Teams for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta API version. Other API versions will not be shown in the connection dropdown list. Please see step 3h of Configuring D3 SOAR to Work with Microsoft Teams for connection configuration.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

***************************************

Channel ID or Channel Name

Required

The ID or name of the channel to send the message to. Channel IDs and Channel Names can be obtained running the List Channels command with the same input Team ID.

*****@*****.*****.com

Send HTML Message

Optional

The option to set the message type to HTML. The default option is False.

True

Message

Required

The contents of the message to send.

{

"body":{

"contentType":"html",

"content":"<div><div>\n<div><span><img height=\"250\" src=\"../hostedContents/1/$value\" width=\"176.2295081967213\" style=\"vertical-align:bottom; width:176px; height:250px\"></span>\n\n</div>\n\n\n</div>\n</div>"

}

}

Mention Contents

Optional

This list of content objects for mentioned users, chnels, or teams. This parameter is only applicable when the message type is HTML and the "at" tag with the corresponding "id" is included in the message. Each mentioned content can be assigned to either a user, a channel or a team.

User IDs can be obtained using the List Users command; Channel IDs can be obtained using the List Channels command; Team IDs can be obtained using the List Teams command. Please reference the sample data when structuring your request.

The "id" in each mentioned content must match the "id" of the "at" tag in the message. The "mentionText" and "mentioned.displayName" fields are optional. For more details, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation and refer to Examples 2, 7, or 8.

[

{

"id": ***,

"mentionText": "*****",

"mentioned": {

"user": {

"displayName": "1Xuan Lu",

"id": "*****",

"userIdentityType": "aadUser"

}

}

},

{

"id": ***,

"mentionText": " Channel testing",

"mentioned": {

"conversation": {

"id": "*****",

"displayName": "2General",

"conversationIdentityType": "channel"

}

}

},

{

"id": ***,

"mentionText": "*****",

"mentioned": {

"conversation": {

"id": "*****",

"displayName": "3GraphTesting",

"conversationIdentityType": "team"

}

}

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "id": "*****",
    "replyToId": null,
    "etag": "*****",
    "messageType": "message",
    "createdDateTime": "2023-01-19T01:23:51.985Z",
    "lastModifiedDateTime": "2023-01-19T01:23:51.985Z",
    "lastEditedDateTime": null,
    "deletedDateTime": null,
    "subject": null,
    "summary": null,
    "chatId": null,
    "importance": "normal",
    "locale": "en-us",
    "webUrl": "https://teams.microsoft.com/*****",
    "policyViolation": null,
    "eventDetail": null,
    "from": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    },
    "body": {
        "contentType": "html",
        "content": "\n    \n        \n            \n        \n    \n    Hello User *****  Hello Channel  Channel testing Hello Team *****\n    \n"
    },
    "channelIdentity": {
        "teamId": "*****",
        "channelId": "*****"
    },
    "attachments": [],
    "mentions": [
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "conversation": null,
                "tag": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            }
        },
        {
            "id": ***,
            "mentionText": " Channel testing",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": " Channel testing",
                    "conversationIdentityType": "channel"
                }
            }
        },
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": "*****",
                    "conversationIdentityType": "team"
                }
            }
        }
    ],
    "reactions": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "id": "*****",
    "replyToId": null,
    "etag": "*****",
    "messageType": "message",
    "createdDateTime": "2023-01-19T01:23:51.985Z",
    "lastModifiedDateTime": "2023-01-19T01:23:51.985Z",
    "lastEditedDateTime": null,
    "deletedDateTime": null,
    "subject": null,
    "summary": null,
    "chatId": null,
    "importance": "normal",
    "locale": "en-us",
    "webUrl": "https://teams.microsoft.com/*****",
    "policyViolation": null,
    "eventDetail": null,
    "from": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    },
    "body": {
        "contentType": "html",
        "content": "\n    \n        \n            \n        \n    \n    Hello User *****  Hello Channel  Channel testing Hello Team *****\n    \n"
    },
    "channelIdentity": {
        "teamId": "*****",
        "channelId": "*****"
    },
    "attachments": [],
    "mentions": [
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "conversation": null,
                "tag": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            }
        },
        {
            "id": ***,
            "mentionText": " Channel testing",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": " Channel testing",
                    "conversationIdentityType": "channel"
                }
            }
        },
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": "*****",
                    "conversationIdentityType": "team"
                }
            }
        }
    ],
    "reactions": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageID": "\"*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/*****

id

*****

replyToId

etag

*****

messageType

message

createdDateTime

9/28/2021 9:33:10 PM

lastModifiedDateTime

9/28/2021 9:33:10 PM

lastEditedDateTime

deletedDateTime

subject

summary

chatId

importance

normal

locale

en-us

webUrl

https://teams.microsoft.com/*****

policyViolation

eventDetail

from

{

"application": null,

"device": null,

"user": {

"id": "*****",

"displayName": "*****",

"userIdentityType": "aadUser"

}

}

body

{

"contentType": "html",

"content": "

\\n

Message\\n\\n

\\n\\n\\n

\\n

"

}

channelIdentity

{

"teamId": "*****",

"channelId": "*****"

}

attachments

mentions

reactions

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Message failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team ID Not Found.

Error Sample Data

Send Message failed.

Status Code: 404.

Message: Team ID Not Found.

Send Message V2

Sends a message in the specified channel in Microsoft Teams with defined cards or attachments. Please note, this command cannot be run with the client_credentials grant type. Please use the authorization_code grant type for the integration connection to execute this command.

READER NOTE

  • Team ID and Channel ID or Channel Name are required parameters to run this command.

    • Run the List Teams command to obtain Team ID. Team IDs can be found from the returned raw data at the path $.value[*].id

    • Run the List Channels command to obtain Channel ID or Channel Name. Channel ID can be found from the returned raw data at the path $.value[*].id; Channel Name can be found from the returned raw data at the path $.value[*].displayName.

    • The input Channel ID/Name must belong to the input Team ID. It is recommended to run the List Teams command to obtain the desired Team ID, then use that Team ID to obtain the corresponding Channel ID/Name using the List Channels command. Afterwards, input the obtained values to run this command. You will avoid the error message “____ is not channel Id or channel name existed” being returned.

  • This command can only be used if the integration connection is authenticated using the authorization_code grant type, which requires the Delegated Permissions in the Permission Requirements. See Grant Type: Authorization Code in Configuring D3 SOAR to Work with Microsoft Teams section for instructions on authenticating the connection using the authorization_code grant type.

  • This command requires the beta version of the Microsoft Teams API. Only the beta version will appear in the connection dropdown list. For connection configuration instructions, please refer to step 3h of Configuring D3 SOAR to Work with Microsoft Teams.

Input

Input Parameter

Required/Optional

Description

Example

Team ID

Required

The ID of the team that the specified channel belongs to. Team IDs can be obtained using the List Teams command.

*****

Channel ID or Channel Name

Required

The ID or name of the channel to send the message. Channel IDs and Channel names can be obtained running the List Channels command with the same input Team ID.

*****

Text Message

Optional

The contents of the text message to send. This parameter and the HTML Message parameter cannot be both empty. This parameter will be omitted when the HTML Message parameter has a value.

A simple text message.

HTML Message

Required

The contents of the HTML message to send. Please note that either this parameter or the Text Message parameter must be provided and cannot be empty.

When creating a message with mention contents, cards, or attachments, the HTML message is required. If the task requires a response, include the placeholder <<UserActionRequiredURL>>. Please reference the sample data for more details.

<div>

<div>

<div>

<img height="250" src="../hostedContents/1/$value" width="176.2295081967213" style="vertical-align:bottom; width:176px; height:250px"/>

</div>

</div>

<div>Hello User <at id="***">*****</at> Hello Channel <at id="***"> Channel testing</at> Hello Team <at id="***">*****</at>

</div>

</div>

Mention Contents

Optional

This list of content objects for mentioned users, chnels, or teams. This parameter is only applicable when the message type is HTML and the "at" tag with the corresponding "id" is included in the message. Each mentioned content can be assigned to either a user, a channel or a team.

User IDs can be obtained using the List Users command; Channel IDs can be obtained using the List Channels command; Team IDs can be obtained using the List Teams command. Please reference the sample data when structuring your request.

The "id" in each mentioned content must match the "id" of the "at" tag in the message. The "mentionText" and "mentioned.displayName" fields are optional. For more details, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation and refer to Examples 2, 7, or 8.

[

{

"id": ***,

"mentionText": "*****",

"mentioned": {

"user": {

"displayName": "1Xuan Lu",

"id": "*****",

"userIdentityType": "aadUser"

}

}

},

{

"id": ***,

"mentionText": " Channel testing",

"mentioned": {

"conversation": {

"id": "*****",

"displayName": "2General",

"conversationIdentityType": "channel"

}

}

},

{

"id": ***,

"mentionText": "*****",

"mentioned": {

"conversation": {

"id": "*****",

"displayName": "3GraphTesting",

"conversationIdentityType": "team"

}

}

}

]

Cards And Attachments

Optional

The list of card or attachment objects to attach in the message. For more information, see Send chatMessage in a channel or a chat - Microsoft Graph v1.0 from Microsoft's documentation, and refer to example 3, 6 or 9. If the task requires a response, include the placeholder <<UserActionRequiredURL>>. Please reference the sample data for more details.

[

{

"id": "*****",

"contentType": "application/vnd.microsoft.card.thumbnail",

"contentUrl": null,

"content": {

"title": "This is an example of posting a card",

"subtitle": "<h3>This is the subtitle</h3>",

"text": "Here is some body text. <br>\r\n <b>A hyperlink for pending task response</b>: <a href=\"<<UserActionRequiredURL>>\">Check Request Approval Page</a>. <br>\r\n <b>A hyperlink for regular page</b>: <a href=\"https://d3security.com/\">Check Regular Link</a> <br>\r\nAnd below that is some buttons:",

"buttons": [

{

"type": "messageBack",

"title": "Login to FakeBot",

"text": "login",

"displayText": "login",

"value": "login"

}

]

},

"name": null,

"thumbnailUrl": null

},

{

"id": "*****",

"contentType": "application/vnd.microsoft.card.thumbnail",

"contentUrl": null,

"content": "{\r\n \"title\": \"This is an example of posting a card\",\r\n \"subtitle\": \"<h3>This is the subtitle</h3>\",\r\n \"text\": \"Here is some body text. <br>\\r\\n <b>A hyperlink for pending task response</b>: <a href=\\\"<<UserActionRequiredURL>>\\\">Check Request Approval Page</a>. <br>\\r\\n <b>A hyperlink for regular page</b>: <a href=\\\"https://d3security.com/\\\">Check Regular Link</a> <br>\\r\\nAnd below that is some buttons:\",\r\n \"buttons\": [\r\n {\r\n \"type\": \"messageBack\",\r\n \"title\": \"Login to FakeBot\",\r\n \"text\": \"login\",\r\n \"displayText\": \"login\",\r\n \"value\": \"login\"\r\n }\r\n ]\r\n}",

"name": null,

"thumbnailUrl": null

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@odata.context": "https://graph.microsoft.com/v*.*/***",
    "id": "*****",
    "replyToId": null,
    "etag": "*****",
    "messageType": "message",
    "createdDateTime": "2023-01-19T01:23:51.985Z",
    "lastModifiedDateTime": "2023-01-19T01:23:51.985Z",
    "lastEditedDateTime": null,
    "deletedDateTime": null,
    "subject": null,
    "summary": null,
    "chatId": null,
    "importance": "normal",
    "locale": "en-us",
    "webUrl": "https://teams.microsoft.com/*****",
    "policyViolation": null,
    "eventDetail": null,
    "from": {
        "application": null,
        "device": null,
        "user": {
            "id": "*****",
            "displayName": "*****",
            "userIdentityType": "aadUser"
        }
    },
    "body": {
        "contentType": "html",
        "content": "\n    \n        \n            \n        \n    \n    Hello User *****  Hello Channel  Channel testing Hello Team *****\n    \n"
    },
    "channelIdentity": {
        "teamId": "*****",
        "channelId": "*****"
    },
    "attachments": [],
    "mentions": [
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "conversation": null,
                "tag": null,
                "user": {
                    "id": "*****",
                    "displayName": "*****",
                    "userIdentityType": "aadUser"
                }
            }
        },
        {
            "id": ***,
            "mentionText": " Channel testing",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": " Channel testing",
                    "conversationIdentityType": "channel"
                }
            }
        },
        {
            "id": ***,
            "mentionText": "*****",
            "mentioned": {
                "application": null,
                "device": null,
                "user": null,
                "tag": null,
                "conversation": {
                    "id": "*****",
                    "displayName": "*****",
                    "conversationIdentityType": "team"
                }
            }
        }
    ],
    "reactions": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageID": "\"*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@odata.context

https://graph.microsoft.com/*****

id

*****

replyToId

etag

*****

messageType

message

createdDateTime

9/28/2021 9:33:10 PM

lastModifiedDateTime

9/28/2021 9:33:10 PM

lastEditedDateTime

deletedDateTime

subject

summary

chatId

importance

normal

locale

en-us

webUrl

https://teams.microsoft.com/*****

policyViolation

eventDetail

from

{

"application": null,

"device": null,

"user": {

"id": "*****",

"displayName": "*****",

"userIdentityType": "aadUser"

}

}

body

{

"contentType": "html",

"content": "

\\n

Message\\n\\n

\\n\\n\\n

\\n

"

}

channelIdentity

{

"teamId": "*****",

"channelId": "*****"

}

attachments

mentions

reactions

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Send Message failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Team ID Not Found.

Error Sample Data

Send Message failed.

Status Code: 404.

Message: Team ID Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Microsoft Teams portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: unauthorized_client.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: unauthorized_client.

FAQ

Question 1

Why am I seeing the error message “['Get Message Reply Failed.Messages:Status Code: 403, Error code: Forbidden, Error message: Invoked API requires Protected API access in application-only context when not using Resource Specific Consent. Visit https://docs.microsoft.com/en-us/graph/teams-protected-apis for more details. ']” after running the Get Message Reply command?

Answer: You are using the client-credential connection without the required access. You must request access before using this command by submitting a request form. For details, see Protected APIs in Microsoft Teams.

Question 2

Why can I not find my built connections when testing a command?

Answer: Please check the API Version of your connection, and make sure you are entering the correct version. It is recommended to create two connections (one with v1.0, another with beta) with the same credentials and use the appropriate connection depending on your use case.

Question 3

Why am I seeing the error message “Operation not supported for this Channel.” when running the Add Members to Private Channel command?

Answer: Members can only be added to channels that are private or shared. Run the List Channel command and in the returned raw data, the path $.[*].value.[*].membershiptype will indicate whether a channel is private or shared.

Question 4

I am unable to grant the app authorization access after clicking Get Authorization when building a connection using the authorization_code grant type.

Answer: You must be logged into an admin account to grant approval. If you use a non-admin account, you will only be able to send a request for approval to your admin.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.