Send Google Cloud Security Command Center notification to Microsoft Teams Channel using Cloud Function, Pub/Sub, and Python Code
To send a Security Command Center notification to Microsoft Teams using a Google Cloud Function with Python, you’ll need to use the Microsoft Teams Incoming Webhook and the Google Cloud Pub/Sub service. Here’s a step-by-step guide on how to do this:
- Set up a Microsoft Teams Incoming Webhook:
— In your Microsoft Teams channel, click the ellipsis (…) next to the channel name and select “Connectors.”
— Search for “Incoming Webhook” and add it.
— Configure the webhook with a name and an optional profile picture.
— Note down the webhook URL; you’ll need it in the Cloud Functions - Set up a Pub/Sub trigger for your Cloud Function and configure the Security Command Center to publish findings to this Pub/Sub topic.
— Export the SCC findings via Pub/Sub. Use necessary filters accordingly
https://cloud.google.com/security-command-center/docs/how-to-notifications - Set up a Google Cloud Function:
— Create a new Python Cloud Function using the following command or Create via Console. Select the trigger as Pub/Sub and choose the pubsub topic you created on Step 2
bash
gcloud functions deploy send_to_teams \
- runtime python310 \
- trigger-http \
- allow-unauthenticated3. Write the Python code for your Cloud Function. The following code will send a message to your Microsoft Teams channel when triggered:
import requests
import json
import base64
def send_to_teams(event, context):
# Extract the Pub/Sub message data.
print(event)
pubsub_data = json.loads(name)
# Define your Microsoft Teams webhook URL here.
teams_webhook_url = ("Your_MS_Teams_Webhook URL")
headers = {
'Content-Type': "application/json",
}
# Extracts the values from json object
title = pubsub_data['finding']['category']
Severity = pubsub_data['finding']['severity']
Resource = pubsub_data['finding']['resourceName']
Description = pubsub_data['finding']['description']
Project_Name = pubsub_data['resource']['projectDisplayName']
Explanation = pubsub_data['finding']['sourceProperties']['Explanation']
externalUri = pubsub_data['finding']['externalUri']
message = {
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"themeColor": "0076D7",
"summary": title,
"sections": [{
"activityTitle": title,
"facts": [{
"name": "Resource:",
"value": Resource
}, {
"name": "Severity:",
"value": Severity
},
{
"name": "Description:",
"value": Description
},
{
"name": "Project_Name:",
"value": Project_Name
},
{
"name": "Explanation:",
"value": Explanation
}],
"markdown": True
}],
"potentialAction": [{
"@type": "OpenUri",
"name": "Learn More",
"targets": [{
"os": "default",
"uri": externalUri
}]
}]
}
# Send the message to Microsoft Teams.
response = requests.post(teams_webhook_url, data=json.dumps(message),headers=headers)
if response.status_code == 200:
print("Message sent to Teams successfully.")
else:
print(f"Error sending message to Teams: {response.text}")4. Deploy your Cloud Function with the code above. Make sure to replace ”Your_MS_Teams_Webhook URL” with the actual URL you obtained in step 1.
5. When a security finding is published to the Pub/Sub topic, it will trigger the Cloud Function, which will send a message to your Microsoft Teams channel using the Incoming Webhook.
Now, whenever a security event occurs that is monitored by the Security Command Center, a notification will be sent to your Microsoft Teams channel via the Cloud Function.
Example:
If you need assistance with configuring the above setup, please feel free to reach out to me on reuel53@gmail.com.
Happy Implementing with Google Cloud
