Microsoft Teams Alert Cards

Documentation for the Splunk Enterprise App

The Microsoft Teams Alert Cards module is an installable application for Splunk Enterprise which allows you to very easily send alert data as pre-formatted Office 365 Cards to a Teams channel.

Download it here:

How To Use:

  1. Download and install the Microsoft Teams Alert Cards app from Splunkbase onto all Search Heads in your deployment.
  2. Create an alert from a search (or edit an existing alert) and add the “Send MessageCard to Teams” action.
    Add Teams Message Card Splunk Alert
  3. Configure all fields in the action:
    • Teams Webhook URL: generate this URL from the Microsoft Teams channel that you’re sending this alert to. In Teams, choose Connectors and add a new Incoming Web Hook connector.
    • Card Title: this text will show as the Card’s title when it is delivered to Teams.
    • Card Subtitle: this text will show as the Card’s subtitle when it is delivered to Teams.
    • Card Image URL: a publicly-accessible image URL that will be sent as part of the Card (see example image below).
    • Card Theme Hex Color: a 6-digit hexadecimal color to theme your Card with. This is displayed as a colored line above your Card’s title (include the hex characters only, not the # sign).
      Configure Teams Card Alert settings
  4. Save your action and the alert.
  5. Recommended: pass a new field into your alert through the search titled “messagetext.” This is a simple way to pass clean text results from the search into the Teams Card – it will show up as the text on your Card.
    • An easy way to integrate this into your existing search is to append a strcat command to concatenate one or more fields in addition to text to suit your needs, like this example:
      index=_internal thread=* | strcat "some text before the field " thread " some text after the field" messagetext

When your alert fires, it will kick off a Card to the Teams channel and will give you a “pretty” alert like this:

365 Teams Card End Result Sample

Comments are closed.