Getting Data In

Microsoft Teams Add-On for Splunk - Missing Webhook

Ash3
New Member

Hello Splunk Community, 

I was wondering if anyone has been successful in setting up the Microsoft Teams Add-on for Splunk app in their Enterprise/Heavy Forwarder. This application requires configuring a Teams webhook. When reading the documentation it appears that the app is supposed to create or include the Microsoft Teams-specific webhook. However, when I attempt to search for the Webhook in the search app using: 

sourcetype="m365:webhook"

I don't get anything back and I'm not sure what the Webhook address is since document doesn't specify the format or go over the steps to create a Webhook address. 

I followed these steps: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-o...

If anyone has an idea on how to create the Webhook or has an idea what I am doing wrong, I would greatly appreciate it. 

Thanks!

Labels (1)
0 Karma

Ash3
New Member

Hello PualPanther,

We can't actually run a CURL command since we aren't sure what the webhook is. Reading over the document and contacting support, it seems that the app should create the webhook but I'm not sure what it is. 

If I need to create the webhook, I'm also not sure how to create one for the app either. 

0 Karma

PaulPanther
Motivator

You have to configure the webhook input as described in the shared dcos.

  1. Launch the Microsoft Teams Add-on for Splunk.
  2. Select Inputs > Create New Input > Teams Webhook.

Have you done it? If not create the input first and then:

The webhook address will be available via the internal ip on the instance where you've configured the webhook and you have to use the port that you've configured during the webhook setup. 

curl <internal_ip_of_your_splunk_instance>:<the_configured_port> -d '{"value": "test"}'

For an initial test you could execute the curl on the same instance where you've configured the webhook. 

curl 127.0.0.1:<the_configured_port> -d '{"value": "test"}'

To make the webhook address publicly accessible there are different ways of course as mentioned in the documentation

The webhook must be a publicly accessible, HTTPS-secured endpoint that is addressable via a URL. You have two options to set up the Splunk instance running the Teams add-on. You can make it publicly accessible via HTTPS. Or you can use a load balancer, reverse proxy, tunnel, etc. in front of your Splunk instance running the add-on. The second option here can be preferable if you don't want to expose the Splunk heavy forwarder to the internet, as the public traffic terminates at that demarcation and then continues on internally to the Splunk heavy forwarder.

0 Karma

Ash3
New Member

I have the Microsoft Teams Add-on for Splunk installed and setup the inputs for the webhook. 

When I tried to curl the webhook using the internal ip and the port that I have it set to, I get a failed to connect error.

Possibly, part of the issue could be that I don't have the webhook set to a HTTPS. Unfortunately, I'm not sure how to make the webhook accessible to a HTTPS. This isn't something I typically do.

I've tried looking up how to make a my webhook accessible, but I haven't had any luck or nothing that made clear sense to me.

0 Karma

PaulPanther
Motivator

What is the output when you execute the curl command to test the webhook? 

Have you nsured that the webhook is reachable from external?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...