Microsoft Teams integration

Noxen posts to a Teams channel via an Incoming Webhook after every scheduled scan that produces findings above your configured severity threshold. Messages use the MessageCard schema with a severity-coloured theme stripe, a fact list of severity counts, and the top five most severe findings.

What gets sent

Noxen detects Teams by URL (webhook.office.com) and posts a MessageCard. The themeColor is the hex severity colour without the leading #; Teams renders it as a coloured bar along the top of the card. A representative payload looks roughly like:

{
  "@type": "MessageCard",
  "@context": "https://schema.org/extensions",
  "summary": "Noxen scan — db-01.prod.example",
  "themeColor": "8B00FF",
  "title": "Noxen scan — db-01.prod.example",
  "sections": [
    {
      "facts": [
        { "name": "Critical", "value": "1" },
        { "name": "High", "value": "2" },
        { "name": "Medium", "value": "3" },
        { "name": "Low", "value": "1" },
        { "name": "New since last scan", "value": "7" }
      ],
      "text": "- [CRITICAL] CVE-2024-6387 — openssh-server\n\n- [HIGH] CVE-2024-3094 — xz-utils\n\n- [HIGH] Grafana (exposed admin surface)"
    }
  ]
}

The summary field is required when the card doesn't carry a text property, and without it mobile push notifications render as blank. Noxen always sets it to the same value as the title for safety.

Setup

1. In Teams, open the target channel: … → Connectors → Incoming Webhook → Configure. Name it (e.g. Noxen), optionally upload an icon, and copy the URL — it looks like https://your-tenant.webhook.office.com/webhookb2/....
2. In Noxen: Settings → Webhooks → Add. Paste the URL. Noxen auto-detects Teams from the host and switches to MessageCard formatting.
3. Choose a severity threshold (see below). Hit Send test payload to confirm delivery. Save.

A note on Office 365 Connectors

Microsoft announced in mid-2024 that Office 365 Connectors — including the Incoming Webhook connector this page describes — will be retired. They've already been deprecated for new tenants and existing webhooks are on an extended sunset. Microsoft's recommended replacement is the Workflows app (also exposed as Power Automate), which exposes a generic-JSON HTTP trigger that posts an Adaptive Card to Teams.

Noxen's Generic JSON webhook style works with a Workflows HTTP trigger: paste the trigger URL into Noxen, set the webhook type to Generic, and configure the Workflow's Adaptive Card template to map the incoming fields (host, severity_counts, top_findings) into a Teams message. We expect to ship a first-party Adaptive Card formatter once the connector retirement timeline firms up.

Severity thresholds

Each webhook has its own threshold — Critical only, Critical + High, Critical + High + Medium, or All findings. The webhook fires only when the scan produces at least one finding at or above the threshold.

When alerts fire

On scan completion. Scheduled scans run nightly by default, plus any manual or batch scans you trigger. The webhook delivers within a few seconds of the scan finishing. Noxen retries on 5xx and 429 with exponential backoff.

What it doesn't do

• No two-way commands. Noxen is one-way alerting — there's no Teams app, no bot, no message extension.
• No @mentions or channel pings beyond the default Teams notification rules. If your channel mutes Connectors, alerts will be silent.
• No real-time CVE alerts. Coverage of a freshly-disclosed CVE is bounded by your scan schedule.

Teams webhooks unlock at the Live Feed tier ($19/month). See the integrations hub for other supported destinations, or features for the full check catalogue.

See pricing →