Use Microsoft Forms as the trigger to create new Cortex XSOAR incidents. This allows you to connect Microsoft Forms to your integrated toolset through the power of Cortex XSOAR.
Set up an instance of the Generic Webhook integration. Refer to the Generic Webhook Configuration section of the Processing Google Form Responses via a Webhook documentation.
To authorize the request coming from Power Automate, it is recommended to set the Username parameter to _header:Authorization and to set the Password parameter to a strong password of your choice, as described here.
Go to Microsoft Forms and create a form to be used to create new Cortex XSOAR incidents.
- Click + New Form.
- Populate the form with the desired questions.
- Under Share, configure who can respond to the form.
Go to Power Automate and create a new Power Automate flow.
Click + Create.
Click Automated cloud flow.
Enter a name for your form. For the trigger, select When a new response is submitted (Microsoft Forms).
Set up the flow trigger.
In the first step fo the flow, sign into your account that owns the Microsoft Form.
Select the form you want to trigger off of.
Add a step to the flow to get the form response details.
Click + New step.
Search for and choose the Microsoft Forms Get response details action.
In the Form Id field, select the form created in the trigger step above.
In the Response Id field, select the Response Id that was output from the trigger step.
Add a step to the flow to make a POST request to Cortex XSOAR to create a new incident.
Click + New step.
Search for and choose the HTTP action.
Select method POST.
Enter the following URI:
For information on how to set up the integration and determine the URL, make sure you have reviewed the information here.
Note: As of this writing, the Power Automate HTTP action does not support self-signed certificates with no way to skip TLS verification. Therefore, it is necessary to set up a valid signed certificate on the Cortex XSOAR server in order to use HTTPS.
If you set a Username/Password on the Generic Webhook instance, as is recommended, add the following headers:
⦁ Authorization: <PASSWORD_FROM_INSTANCE_CONFIG>
⦁ Accept: application/json
⦁ Content-Type: application/json
Enter the request body as a JSON. Optionally, you can set incident fields like “name” and “type”. You can also pass the entire form response body in the “raw_json” key, to make it available to be mapped using a mapper set on the Generic Webhook integration instance.
Save your flow, which should look something like this:
Submit the Microsoft Form and check to make sure the flow was triggered and ran successfully. If yes, check and validate that a Cortex XSOAR incident was created. If not, review the flow run and troubleshoot any errors with the HTTP call.