Skip to main content
Lantern Home

 

Splunk Lantern

Getting started with the Microsoft Teams Add-on for Splunk

  1. Last updated
  2. Save as PDF

This article walks you through setting up the Microsoft Teams Add-on for Splunk to retrieve call record data. For more information about Microsoft Teams call record data, how the data is made available, and how to utilize the data, refer to Getting started with Microsoft Teams call record data.

Microsoft has introduced a new REST API to retrieve Teams Call Record data. This new API eliminates the need for a Teams subscription and Teams webhook. Version 2.x of the Microsoft Teams Add-on for Splunk includes a new input which utilizes this API and simplifies the setup process.

How to use Splunk software for this use case

Set up a Teams global account

  1. Create an Entra ID app registration in the Azure portal.
  2. Assign the CallRecords.Read.All (Application) permission to the Azure AD app registration.
  3. Launch the Microsoft Teams Add-on for Splunk.
  4. Select Configuration > Add.

    clipboard_2308eb9f-9121-4465-8c65-9cabd1e70364.png

  5. Enter the following details:
    1. Account name
    2. Client ID (application ID) from your Entra ID app registration
    3. Client Secret from your Entra ID app registration
    4. Click Add.

      clipboard_4be5d55c-b798-4d0f-a12e-6ddadfc782e3.png

Set up a Teams call record input

  1. Launch the Microsoft Teams Add-on for Splunk.
  2. Select Inputs > Create New Input > Teams Call Record (New).

    clipboard_3599df3a-3f94-425d-b4ff-b7acd65b9a46.png

  3. Enter the following details:
    1. Enter a Name.
    2. Enter an Interval. This input should run frequently to check for received call record headers.
    3. Select an Index.
    4. Select a Global Account.
    5. Enter the Tenant ID, otherwise known as a Directory ID. You can get this from the Azure portal.
    6. Select the Environment.
    7. Choose to include or exclude null values.
    8. Select a Start Date.
    9. Select an Endpoint.
    10. Click Add.

    clipboard_5a85cf83-cee9-472f-973f-1b7303fb9537.png

Verify call record data

Run the following search:

sourcetype="m365:teams:callrecord" earliest=0

Results will only appear after a Teams call has ended. It takes a few minutes for Microsoft Teams to push the call record header to the Splunk platform after a call ends.

Next steps

After call record data is ingested, the Microsoft 365 App for Splunk has several out-of-the-box dashboards to visualize common use case scenarios. Refer to the Getting started with Microsoft Teams call record data article for more details.

In addition, this resource might help you understand and implement this guidance: