All Apps and Add-ons

Ingesting logs from Microsoft Teams

Builder

Hey All,

I recently installed/configured the Microsoft Teams Add-on in an attempt to ingest call logs and meeting info from Microsoft Teams.   I have run into an issue I was hoping someone could help with or shed some light on.

Add-On Version: 1.02

Splunk Version: 7.3.4

App is installed on a HF.

I have followed the instructions on the setup and have the Subscription, User Reports, Call Reports and Webhook all setup in the inputs section of the app. It appears though the only thing working is the User Reports. I have granted all of the required permissions in Teams\Azure  per the documentation.

The _internal logs don't give a whole lot of information indicating what the issue might be even with DEBUG logging enabled for the app.

The only thing I am seeing in the logs indicating an issue was this:

127.0.0.1 - splunk-system-user [30/Jun/2020:09:05:36.213 -0500] "GET /servicesNS/nobody/TA_MS_Teams/properties/TA_MS_Teams HTTP/1.1" 404 144 - - - 0ms

And this:

2020-06-30 09:25:43,189 ERROR pid=107176 tid=MainThread file=base_modinput.py:log_error:309 | Could not create subscription: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/subscriptions

The  documentation also mentions a webook which I am a little confused as to where that webhook resides. Is it in Teams itself or where the app is installed? It seems like the webook is in the app on the HF based on how the documentation reads?

Any help would be greatly appreciated.

Thanks,

Andrew

Labels (3)
0 Karma
1 Solution

Explorer

Having literally just gone through this, I'll try to help!  What was broken for me (and giving the same headache) sounds like exactly what you're seeing.

If you're getting user reports then your app is correct and the permissions are correct.  What is broken is your either your subscription, webhook, or CDR.  For me, it was the webhook/subscription because they both are interconnected.

First, the Webhook.  The webook has to live on the HF where the Add-on is installed.  The port you give it must be accessible from the public internet (because that's how teams works) and MUST be SSL.  Otherwise nothing will work.  Easiest way to test is to go to the public IP address (from something on the internet) and test https://<webhookName>:<portdefined> and you should get:

{"success": true}

My config looks like this:

 

2020-07-01_06-54-28.png

 

 

 

 

 

 

 

When I got my webhook URL (via https, hostname, port) I get a success.

Once that's done, you configure the Subscription to reference the correct webhook URL.

After that, data should start flowing.

 

Hope this helps, hit me up if you need more help with it!

View solution in original post

Tags (3)

Explorer

Having literally just gone through this, I'll try to help!  What was broken for me (and giving the same headache) sounds like exactly what you're seeing.

If you're getting user reports then your app is correct and the permissions are correct.  What is broken is your either your subscription, webhook, or CDR.  For me, it was the webhook/subscription because they both are interconnected.

First, the Webhook.  The webook has to live on the HF where the Add-on is installed.  The port you give it must be accessible from the public internet (because that's how teams works) and MUST be SSL.  Otherwise nothing will work.  Easiest way to test is to go to the public IP address (from something on the internet) and test https://<webhookName>:<portdefined> and you should get:

{"success": true}

My config looks like this:

 

2020-07-01_06-54-28.png

 

 

 

 

 

 

 

When I got my webhook URL (via https, hostname, port) I get a success.

Once that's done, you configure the Subscription to reference the correct webhook URL.

After that, data should start flowing.

 

Hope this helps, hit me up if you need more help with it!

View solution in original post

Tags (3)

Path Finder

How did you generate your webhook URL? I'm having trouble understanding the format you provided - https://<webhookName>:<portdefined>

My webhook name is "teams_webhook" and the port i chose was 443. Using your provided format, the webhook looks like https://teams_webhook:443 but this isn't a valid URL. 

I also tried https://<publicip>:443/teams_webhook but this also fails.

Later in your post you describe getting a webhook via https, hostname, port; but this also would only work if your hostname is publicly accessible. Any sugggestions?

0 Karma

Path Finder

Ignore my last post! I see now that you already answered this in a previous comment.

0 Karma

Loves-to-Learn Lots

Hello Jason ,

I really appreciate you to give me a response. I have a confusion at here.

1- In Step 1 - Addon mentioned to add webhook name. I give unique name of input in webhook, like Teamswebhook and rest of the field will as is .

2- In Step2 - In teams subscription they ask me to provide the webhook url .Here I am getting confuse -

Either I will provide https://Teamswebhook(That I have add on step1):4444  

OR https://ServerHostname(Where Add-ON is running):4444 .

Could you please help me to know , how I will provide the WebHook url at here.

I will wait for your response.

Thanks

Atul Jha

0 Karma

Explorer

I see the confusion!  The "Name" of the webhook is just for internal use.  The name you use for the "Webhook URL" in the Teams Subscription is https://<serverwhereaddonisrunning>:<port>

Make sure, as I said, that https://<serverwhereaddonisrunning>:<port> is available from the MSFT internet ranges!

Explorer

Is your webhook accessible to any public traffic, or were you able to whitelist incoming traffic from Microsoft? I really don't want my Heavy Forwarder exposed to the internet.

0 Karma

Builder

I honestly still can't get it to work but can relay our current setup if it helps.

We created an external cert with a specific URL that the webhook would use.

We then ensured the webhook setup in the Splunk app had that URL.

HTTPS inbound to our URL is translated to our specified port at the firewall. If that traffic matches the security policy, it is forwarded on to the F5. The F5 is listening on that port and will pass traffic to the Splunk server on that same port. We do have the Graph API IPs allowed as part of that security policy on the FW.

We can hit the webhook internally via our F5 but still can't get it to work pulling Teams logs.

0 Karma

Explorer

So, a quick couple of things:

1) Your webhook needs to talk HTTPS, it doesn't need to be on 443.  My test, for instance, is on port 4443.

2) My webhook has allow from all for the moment, but I am working on tightening it down to microsoft's network ranges (see this page: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges). 

If it stops working when I change my ACL, I will post here.

**EDIT**

I updated my ACL to only use the ranges listed in the post above (13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 191.234.140.0/22, 204.79.197.215/32) and my CDR's are still flowing correctly.  I will check tomorrow to make sure my user details are still flowing correctly.

 

**EDIT #2**

Verified this morning that all my user data is flowing correctly into the TA.

0 Karma

Builder

Yeah my webhook is using 4444.

Glad to hear its still working with good ACL's in place.

Do you have the cert only on your HF and only a FW in between?

0 Karma

Explorer

That's correct, my cert is on the HF only.  The firewall between the two is a fairly "stupid" setup in that it only allows port/protocol and doesn't do traffic inspection.

Builder

Thanks for the super helpful information! Definitely puts me on the right path and kinda confirmed my suspicions.

So you used a cert from an external party and NAT'ed that hostname at your FW?

Tags (1)
0 Karma

Explorer

Exactly!  Once I did that I have data not only in the Remote Work Insights app, but also in the M365 Teams section. 

Tags (3)
0 Karma

Builder

Great! Thanks for the helpful info!

0 Karma

Loves-to-Learn Lots

Hello Jason ,

We are implementing the Microsoft Teams Add-On but here is some confusion if you can help me then it will be great. My heavy forwarder is not running over an internet it is running via http. So I got a ssl certificate from Network Team to install for Microsoft Teams implementation. So below steps I have been taken -

1- I have copied ssl certificate .pem file on to splunk directory-Program Files\Splunk\etc\auth\

2- The above path I have given into Teams Webhook Configuration.

3- In Teams webhook configuration it is also asking the .key file .So here two things-

1- Are you referring Splunk Web key file - to generate new key file

or 

2- I will extract .key file from SSL certificate which I have received from Network Team.

Quick response is highly appreciable.

Thanks

Atul

 

 

 

0 Karma