Custom JSON Webhook for Teams showing search results

%3CLINGO-SUB%20id%3D%22lingo-sub-2162058%22%20slang%3D%22en-US%22%3ECustomer%20JSON%20Webhook%20for%20Teams%20showing%20search%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162058%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3CBR%20%2F%3EDoes%20anyone%20know%20if%20its%20possible%20to%20send%20a%20custom%20webhook%20payload%20to%20teams%20that%20also%20includes%20the%20search%20results%20(or%20the%20top%2010%20at%20least%20%3F)%3CBR%20%2F%3EI%20have%20webhooks%20working%20without%20search%20results%20and%20using%20openuri%20for%20the%20potential%20actions%20in%20the%20Teams%20Customer%20JSON%20Payload%20for%20the%20azure%20alert%2C%20just%20tried%20many%20ways%20for%20the%20JSON%20Table%20that%20is%20sent%20in%20the%20payload%20when%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%22IncludeSearchResults%22%3A%20true%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%3CBR%20%2F%3EI%20have%20been%20playing%20with%20this%20-%3CBR%20%2F%3E%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22alertname%22%3A%22AcmeRule%22%2C%22IncludeSearchResults%22%3Atrue%2C%3CBR%20%2F%3E%22SearchResults%22%3A%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22tables%22%3A%5B%3CBR%20%2F%3E%7B%22name%22%3A%22PrimaryResult%22%2C%22columns%22%3A%3CBR%20%2F%3E%5B%3CBR%20%2F%3E%7B%22name%22%3A%22%24table%22%2C%22type%22%3A%22string%22%7D%2C%3CBR%20%2F%3E%7B%22name%22%3A%22Id%22%2C%22type%22%3A%22string%22%7D%2C%3CBR%20%2F%3E%7B%22name%22%3A%22TimeGenerated%22%2C%22type%22%3A%22datetime%22%7D%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22rows%22%3A%3CBR%20%2F%3E%5B%3CBR%20%2F%3E%5B%22Fabrikam%22%2C%2233446677a%22%2C%222018-02-02T15%3A03%3A12.18Z%22%5D%2C%3CBR%20%2F%3E%5B%22Contoso%22%2C%2233445566b%22%2C%222018-02-02T15%3A16%3A53.932Z%22%5D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22%40context%22%3A%20%22%3CA%20href%3D%22http%3A%2F%2Fschema.org%2Fextensions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Fschema.org%2Fextensions%3C%2FA%3E%22%2C%3CBR%20%2F%3E%22%40type%22%3A%20%22MessageCard%22%2C%3CBR%20%2F%3E%22themeColor%22%3A%20%22CC4216%22%2C%3CBR%20%2F%3E%22title%22%3A%20%22%23alertrulename%22%2C%3CBR%20%2F%3E%22text%22%3A%20%22%23alertrulename%20returned%20%23searchresultcount%20records%20which%20exceeds%20the%20threshold%20of%20%23thresholdvalue%20.%22%2C%3CBR%20%2F%3E%22potentialAction%22%3A%20%5B%7B%3CBR%20%2F%3E%22%40type%22%3A%20%22OpenUri%22%2C%3CBR%20%2F%3E%22name%22%3A%20%22See%20details%20in%20AppInsights%22%2C%3CBR%20%2F%3E%22targets%22%3A%20%5B%7B%3CBR%20%2F%3E%22os%22%3A%20%22default%22%2C%3CBR%20%2F%3E%22uri%22%3A%20%22%23linktosearchresults%22%3CBR%20%2F%3E%7D%5D%3CBR%20%2F%3E%7D%5D%2C%3CBR%20%2F%3E%22sections%22%3A%20%5B%7B%3CBR%20%2F%3E%22facts%22%3A%20%5B%7B%3CBR%20%2F%3E%22name%22%3A%20%22Severity%3A%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22%23severity%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22name%22%3A%20%22ResultCount%3A%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22%23searchresultcount%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22name%22%3A%20%22Search%20Interval%20StartTime%3A%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22%23searchintervalstarttimeutc%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22name%22%3A%20%22Search%20Interval%20End%20time%3A%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22%23searchintervalendtimeutc%22%3CBR%20%2F%3E%7D%5D%3CBR%20%2F%3E%7D%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi All,
Does anyone know if its possible to send a custom webhook payload to teams that also includes the search results (or the top 10 at least ?)
I have webhooks working without search results and using openuri for the potential actions in the Teams Customer JSON Payload for the azure alert, just tried many ways for the JSON Table that is sent in the payload when

"IncludeSearchResults": true


I have been playing with this -

{
"alertname":"AcmeRule","IncludeSearchResults":true,
"SearchResults":
{
"tables":[
{"name":"PrimaryResult","columns":
[
{"name":"$table","type":"string"},
{"name":"Id","type":"string"},
{"name":"TimeGenerated","type":"datetime"}
],
"rows":
[
["Fabrikam","33446677a","2018-02-02T15:03:12.18Z"],
["Contoso","33445566b","2018-02-02T15:16:53.932Z"]
]
}
]
},
"@context": "http://schema.org/extensions",
"@type": "MessageCard",
"themeColor": "CC4216",
"title": "#alertrulename",
"text": "#alertrulename returned #searchresultcount records which exceeds the threshold of #thresholdvalue .",
"potentialAction": [{
"@type": "OpenUri",
"name": "See details in AppInsights",
"targets": [{
"os": "default",
"uri": "#linktosearchresults"
}]
}],
"sections": [{
"facts": [{
"name": "Severity:",
"value": "#severity"
},
{
"name": "ResultCount:",
"value": "#searchresultcount"
},
{
"name": "Search Interval StartTime:",
"value": "#searchintervalstarttimeutc"
},
{
"name": "Search Interval End time:",
"value": "#searchintervalendtimeutc"
}]
}]
}
Thanks

3 Replies

@MemK1 

I've come here seeking an answer to the same question and am hoping to bump this for the OP, myself, and others.


We are also attempting to use the MessageCard in Teams as we use it for a LOT of things and it works great. However, for Alerts with a limited result set I want the results included. We've included the

"IncludeSearchResults":true,

and done so as a top-level property in the custom JSON payload. While we get our expected card in the target Teams channel when the Alert Rule fires we do not get the expected results.

While you can include #variables using the "hashtag" format -- for which we assume they pre-processing the payload and performing text-replacement on your JSON before it is sent, and which makes perfect sense. 


What is a whole lot less clear is why we are asked to include a specific key-value pair in a payload intended for the ultimate recipient of the JSON. Why are we not simply asked to use #searchResults so their pre-processing of the payload can insert the table?

On the above basis I think either the documentation is incorrect on this one or woefully unclear -- but I'm all ears to anyone who might be able to demystify what's meant to be going on here.

@Avid_Azure_User To get the context of the alert in the payload we recommend using dimensions, not relaying on the search results. This will provide you with the pairs you need.

Overall include search results is best effort and is not means to get context of the alerts. To get the full results provide the links in the payload.

@MemK1 I've done this as follows: Create a PowerShell script in an Azure Automation account that reads out data from the alert, then create a webhook for this runbook (technically this script could also be in an Azure function). Create an Action Group with a Webhook as action, pointing the webhook of the runbook you've created. Make sure you have "Common Alert Schema" enabled in the Action Group, otherwise you go nuts trying to process the different alerts. At the end of the PowerShell script once you've processed the json payload, use the PSTeams module to send your alert to Teams (I've even gone so far as to check the severity of the alert, and severity 0 goes to an on-call phone with more detailed info than what the normal SMS alerts give). Last but not least of course, set up your alert and set the Action Group as the target.

 

In order to process the json payload, I've used webhook.site to make more sense of what alert gives what type of output. If you set the URL given by webhook.site in the Action Group, whenever an alert triggers, the webhook data will be sent to that website and you're able to see a full example for different types of alerts.

 

I can't give you actual code, but let's just say to begin with this as code:

 

param
(
[object] $WebhookData
)

$WebhookBody = ConvertFrom-Json -InputObject $WebhookData

 

I hope this helps.