Hello Splunk Community,
I was wondering if anyone has been successful in setting up the Microsoft Teams Add-on for Splunk app in their Enterprise/Heavy Forwarder. This application requires configuring a Teams webhook. When reading the documentation it appears that the app is supposed to create or include the Microsoft Teams-specific webhook. However, when I attempt to search for the Webhook in the search app using:
sourcetype="m365:webhook"
I don't get anything back and I'm not sure what the Webhook address is since document doesn't specify the format or go over the steps to create a Webhook address.
I followed these steps: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-o...
If anyone has an idea on how to create the Webhook or has an idea what I am doing wrong, I would greatly appreciate it.
Thanks!
Hello PualPanther,
We can't actually run a CURL command since we aren't sure what the webhook is. Reading over the document and contacting support, it seems that the app should create the webhook but I'm not sure what it is.
If I need to create the webhook, I'm also not sure how to create one for the app either.
You have to configure the webhook input as described in the shared dcos.
Have you done it? If not create the input first and then:
The webhook address will be available via the internal ip on the instance where you've configured the webhook and you have to use the port that you've configured during the webhook setup.
curl <internal_ip_of_your_splunk_instance>:<the_configured_port> -d '{"value": "test"}'
For an initial test you could execute the curl on the same instance where you've configured the webhook.
curl 127.0.0.1:<the_configured_port> -d '{"value": "test"}'
To make the webhook address publicly accessible there are different ways of course as mentioned in the documentation
The webhook must be a publicly accessible, HTTPS-secured endpoint that is addressable via a URL. You have two options to set up the Splunk instance running the Teams add-on. You can make it publicly accessible via HTTPS. Or you can use a load balancer, reverse proxy, tunnel, etc. in front of your Splunk instance running the add-on. The second option here can be preferable if you don't want to expose the Splunk heavy forwarder to the internet, as the public traffic terminates at that demarcation and then continues on internally to the Splunk heavy forwarder.
I have the Microsoft Teams Add-on for Splunk installed and setup the inputs for the webhook.
When I tried to curl the webhook using the internal ip and the port that I have it set to, I get a failed to connect error.
Possibly, part of the issue could be that I don't have the webhook set to a HTTPS. Unfortunately, I'm not sure how to make the webhook accessible to a HTTPS. This isn't something I typically do.
I've tried looking up how to make a my webhook accessible, but I haven't had any luck or nothing that made clear sense to me.
What is the output when you execute the curl command to test the webhook?
Have you nsured that the webhook is reachable from external?