Skip to main content

How to use webhooks to create Threat notifications in Microsoft Teams

In this guide, we'll walk you through how configure notifications in Microsoft Teams from Defense.com webhooks.

Written by Daniel Sampson
Updated over 2 weeks ago

To set up a Microsoft Teams integration, you need to create a flow chain that will listen to a webhook, which consists of 3 steps:

  1. When a Teams webhook request is received - This step lets you define who can trigger this workflow. Should be set to "Anyone".

  2. Parse JSON - This step parses the JSON payload received from the webhook. Each workflow requires a JSON schema for the payload.

  3. Post Card in Chat or Channel - This step posts a Microsoft Adaptive Card to the appropriate Teams chat or channel. The Adaptive Card JSON template uses Power Automate binding syntax for dynamic content. Adaptive Card JSON templates are designed using the Microsoft Adaptive Card Designer.

Power Automate binding syntax (e.g., @{body('Parse_JSON')?['key']}) cannot be used directly in the adaptive card designer.

Creating a workflow in Microsoft Teams

  1. Go to Microsoft Teams and find the channel where you want to send your notifications. Next to the channel name, select More options (...), then select Workflows.

  2. At the bottom of the modal, select Manage. Then select the Create tab.

  3. Click Create from blank.

  4. In the Search connectors and triggers field, enter "Webhook".

  5. Under Triggers, select the "When a Teams webhook request is received".

  6. In the Who can trigger the flow dropdown, select Anyone.

  7. Select New Step, search for Parse JSON, and then select this option under Actions.

  8. In the Content field, enter @{triggerBody()}.

  9. In the Schema field, add the JSON Schema for the notification payload you're adding. If you don't have a JSON schema, you can save the workflow, get the webhook URL, trigger the webhook, and the automation will fail. You will then be able to see the payload by looking at the Run history for the workflow. Use the payload and the Generate from sample option for the Parse JSON step to create the schema.

  10. Select New Step, search for "card", and then select Post message in a chat or channel under Actions.

  11. In the Post in dropdown, select Channel.

  12. In the Team and Channel dropdowns, select the team and channel where the notification should be posted.

  13. In the Adaptive Card field, add the JSON describing how you want the card to look, and its content (you can use the Adaptive Card Designer tool to generate the JSON).

  14. Select Save.

  15. Copy the webhook URL to the clipboard (you may need to URL decode it depending on where you're going to add the webhook URL).

Creating a webhook trigger in my.defense.com

  1. Log in to my.defense.com as a Company admin or Tech user.

  2. Click Account in the navigation on the left-hand side.

  3. From the expanded menu, select Webhooks.

  4. From the Webhooks page, click +Add Webhook in the top right-hand corner.

  5. Set a name and description, then paste the webhook URL created earlier into the Endpoint URL field.

  6. Under Event Triggers check Create for Threat. Note, this will trigger when a new threat is first created, but not every time that same threat is detected.

  7. Click Test Webhook - this will send some test data to your webhook endpoint.

  8. If the test is successful, click Create.

Resources and References

Microsoft Adaptive Cards

  1. Adaptive Card Designer - Use the Microsoft Adaptive Card Designer to design and preview Adaptive Cards. This tool supports creating card templates interactively, but does not support Power Automate binding syntax.

  2. Adaptive Card Schema Explorer - Refer to the Microsoft Adaptive Card Schema Explorer for details on the properties and structure available for Adaptive Card JSON templates.

  3. Reference guide to workflow expression functions - Refer to the reference guide for details on what expressions/functions are available to use in adaptive cards.

Tips and Best Practices

Handling Keys Starting with Numbers

In Power Automate, keys that start with a number (e.g., 123key) in the JSON payload must always be accessed using index notation, like @{body('Parse_JSON')?['123key']}.

However, in the Microsoft Adaptive Card Designer, which uses a different binding syntax (e.g., ${key}), keys can be accessed using dot notation as long as they don’t start with a number. If a key starts with a number, it must be accessed using index notation, such as ${['123key']}.

Customising Workflows

  • Ensure that the JSON schema for the "Parse JSON" step aligns with the payload format of the triggering system.

  • Modify the Adaptive Card JSON templates to include relevant dynamic content for the notification.

Example Workflow Components

Example JSON Schema for "Parse JSON" Step

This schema is used to validate and parse the incoming webhook payload: 

{
  "type": "object",
  "properties": {
      "record_type": {
          "type": "string"
      },
      "id": {
          "type": "string"
      },
      "trigger_action": {
          "type": "string"
      },
      "title": {
          "type": "string"
      },
      "description": {
          "type": "string"
      },
      "risk": {
          "type": "string"
      },
      "state": {
          "type": "string"
      },
      "type": {
          "type": "string"
      },
      "url": {
          "type": "string"
      },
      "created_at": {
          "type": "string"
      }
  }
}

Example Webhook Payload

Here is a sample webhook payload that aligns with the schema above:

{
  "record_type": "Threat",
  "id": "3d2d8973-69d7-4677-bea0-e22f79ae8131",
  "company_id": "eb253c88-90c5-4188-9476-193b5ab0bdcf",
  "trigger_action": "closed",
  "title": "This is test data - this is NOT a real threat",
  "description": "This is NOT real threat data. This is test data showing what a threat description may look like. The URL within this payload is in the format expected, but it will not link to an actual threat record.",
  "risk": "medium",
  "state": "assigned",
  "type": "Integrations::Microsoft365",
  "url": "http://my.defense.com/threats/3d2d8973-69d7-4677-bea0-e22f79ae8131",
  "created_at": "2026-03-04T14:33:03Z"
}

Example Adaptive Card JSON Template

Below is an example Adaptive Card JSON template using Power Automate binding syntax:

{
  "type": "AdaptiveCard",
  "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
  "version": "1.5",
  "msteams": {
    "width": "Full"
  },
  "body": [
    {
      "type": "TextBlock",
      "size": "Large",
      "weight": "Bolder",
      "text": "@{replace(body('Parse_JSON')?['title'], '"', '\"')}"
    },
    {
      "type": "FactSet",
      "facts": [
        {
          "title": "Risk",
          "value": "@{replace(body('Parse_JSON')?['risk'], '"', '\"')}"
        },
        {
          "title": "Type",
          "value": "@{replace(body('Parse_JSON')?['type'], '"', '\"')}"
        },
        {
          "title": "Created",
          "value": "@{formatDateTime(body('Parse_JSON')['created_at'],'r')}"
        }
      ],
      "separator": true,
      "spacing": "Large"
    },
    {
      "type": "TextBlock",
      "text": "@{replace(body('Parse_JSON')?['description'], '"', '\"')}",
      "wrap": true,
      "separator": true,
      "spacing": "ExtraLarge"
    },
    {
      "type": "ActionSet",
      "actions": [
        {
          "type": "Action.OpenUrl",
          "title": "View Threat",
          "url": "@{body('Parse_JSON')?['url']}"
        }
      ],
      "spacing": "ExtraLarge"
    }
  ]
}

And that's it! You've successfully configured a Microsoft Teams workflow to notify you when it receives a webhook from Defense.com 🎉

Did this answer your question?