Splunking Microsoft Teams Data

Microsoft Teams is a hub for team collaboration in Microsoft 365 that integrates people, content, and tools.

There is a lot of valuable data available from Microsoft to ensure your Teams users are having a good experience. This could include call quality data, or networking data, or audio and video jitter. The Microsoft Teams Add-on for Splunk helps you get this data into Splunk.  However, the setup is somewhat – let's say – involved. So, let's jump right to it.

How Microsoft Makes Teams Call Record Data Available

Most of the data mentioned above lives in a call record. Typically, when dealing Microsoft SaaS data, we're dealing with a REST API for data access, and getting access to call record data is no different here. However, in order to use the call record REST API, you need to pass it a call record ID. This is where the "involved" part comes in because there isn't currently a REST API to get call record IDs. So, where do you get call record IDs? The only way to currently get call record IDs from Microsoft is to tell Microsoft to deliver them to a listening webhook via a Teams subscription. But the webhook can't just be any webhook; no, the webhook has to support a challenge/response and return certain response codes.

Here is a diagram to help visualize the process:

Now, let's look at how to set up the Microsoft Teams Add-on for Splunk to get all this call record data.

Set up a Teams Webhook in Splunk

The first thing we need to do is set up a webhook to receive the call record header data. The Microsoft Teams Add-on for Spunk includes a Microsoft Teams-specific webhook that will respond in the way Microsoft wants. Here's how to set it up:

• Launch the Microsoft Teams Add-on for Splunk
• Select Inputs > Create New Input > Teams Webhook
   

• Enter a Name
• Enter an Interval
• Select an Index
• Enter a port (this is the port the webhook will use for receiving data)
• Leave the Path blank (may be used in the future, but Teams currently does not use a path)
• Enter the full path to an SSL Certificate File (optional – only necessary if exposing your Splunk instance to the internet)
• Enter the full path to an SSL Certificate Key File (optional – only necessary if exposing your Splunk instance to the internet)
   

Important note: the Splunk instance running the Teams add-on will need to be publicly accessible via HTTPS unless a load balancer, reverse proxy, tunnel, etc. (recommended) is in front of your Splunk instance running the add-on. For testing, a tunnel like ngrok may be used.

Test Your Webhook

Command line test:

curl WEBHOOK_ADDRESS -d '{"value": "test"}'

Search:

sourcetype="m365:webhook"

Set up a Teams Call Record Subscription

Ok, so you now have a webhook set up and listening for those incoming call record headers.  Now, the question is how do I tell Microsoft to start sending me those call record headers?  That is where a subscription comes in. A subscription defines where Microsoft should deliver call record headers (hint: it's your webhook you just set up). The Microsoft Teams Add-on for Splunk includes an input to set up a subscription too. Here’s how to set it up:

• Create an Azure AD app registration in the Azure portal (note: no Redirect URI is necessary)
• Assign the following permissions to the Azure AD app registration
  • CallRecords.Read.All (Application)
  • Subscriptions.Read.All (Delegated)
• Launch the Microsoft Teams Add-on for Splunk
• Select Configuration > Add
   

• Enter an account name
• Enter the Client ID (application ID) from your Azure AD app registration
• Enter the Client Secret from your Azure AD app registration
• Select Add
   

• Select Inputs > Create New Input > Teams Subscription
   

• Enter a Name
• Enter an Interval – specifies how often to update the subscription.  If a subscription is not updated, it will expire.  Setting this value to 86400 (24 hours) is sufficient.
• Select an Index
• Select an Account
• Enter the Tenant ID (a.k.a. Directory ID) – you can get this from the Azure portal.
• Enter the Webhook URL from the previous step
   

Verify Subscription Data

SPL:

sourcetype=" m365:subscription" earliest=0

Results should include your webhook address in the notificationUrl field.

Set Up a Teams Call Record Input

So far, we have only discussed how to get call record headers into Splunk. Call record headers aren't going to tell you much. You need the actual call record data for actionable insights. Here's how to set up a call record input:

• Launch the Microsoft Teams Add-on for Splunk
• Select Inputs > Create New Input > Teams Call Record
   

• Enter a Name
• Enter an Interval – this input should run often to check for received call record headers.
• Select an Index
• Select an Account
• Enter the Tenant ID (a.k.a. Directory ID) – you can get this from the Azure portal.
   

Verify Subscription Data

SPL:

sourcetype=" m365:teams:callrecord" earliest=0

Results will only appear after a Teams call has ended. It takes a few minutes for Teams to push the call record header to Splunk after a call ends.

Making Sense of the Call Record Data

Now that you have the call record data in Splunk, what can you do with it? Look no further than the Microsoft 365 App for Splunk and the RWI - Executive Dashboard. Fellow Splunker Philippe Tang created some awesome out-of-the-box dashboards to visualize your Microsoft Teams call records.