Configuring Elasticsearch watcher alerts for Microsoft teams

By | March 11, 2022

This is a brief post on how to configure the Elasticsearch Watcher alerts to be sent to Microsoft teams. We will use webhook action in Elasticsearch and corresponding incoming webook in Microsoft Teams. Documentation on these are rather sparse so I think it will be useful to detail the steps.

WHY

Elasticsearch Watcher is a powerful and highly configurable alerting system. It can send notifications to many platforms. Most of the people will be happy for the alerts to arrive in inbox. But what about say something different like say Microsoft Teams? It is one of the better communications platform out there. The instructions for integrating elasticsearch watcher alerts with Microsoft teams are on a bit of cryptic side. Hence this post.

HOW

Configuring Microsoft Teams
First you have to go to Microsoft Teams and create a team.
And then add a channel to it. Now I am using the App but you can also login into the Microsoft Teams. Make sure that you have permissions to create a team.
In the App click on Teams icon and then at the bottom of the screen click on “Join or create a team”.
NOTE: The screenshots might not remain accurate as new versions of Microsoft Teams are rolled out.

Start Creating a Microsoft team
Icon to click to start creating a Microsoft team.

Welcome screen for creating Microsoft teams
Welcome screen for creating a Microsoft team.

Choose the kind of Microsoft teams
I chose from the scratch for this demo.

Give name to the team
Give your team a name.

Elasticsearch watcher alerts for Microsoft teams
Choose the type of team.

Elasticsearch watcher alerts for Microsoft teams
The team is created !!

Now you have to create a Channel.
Elasticsearch watcher alerts for Microsoft teams

Once the channel is created you have to configure an incoming webhook. To do that on the bottom left of the App click on the ‘Apps’ icon. In the search bar search for ‘incoming webhook’. Click on card shown.
Elasticsearch watcher alerts for Microsoft teams

Then you have to search for the ‘Channel’ rather than the Team you have created.
Elasticsearch watcher alerts for Microsoft teams

Elasticsearch watcher alerts for Microsoft teams

Elasticsearch watcher alerts for Microsoft teams
Give your connector a name. Then once that is done click on ‘Setup a connector’.
Once you are done it will generate a url which you have to copy. This url is important as you will soon see.

Configuring Elasticsearch
On the Elasticsearch Watcher section go and create a Watcher. I will be creating an advanced watch. I will assume that you are well aware of the various actions which can be configured in Watcher. If not give me a shout and I might consider writing a blog post on that.

Remember the url we got?
Suppose the url is :
`https://starkindustries.webhook.office.com/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234`

You will get three things from this:
https which will go as value to scheme field in the elasticsearch action.
starkindustries.webhook.office.com which will go as value to host
and
/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234 which will go as value to path

Here is the action for sending alert to Microsoft teams. (Note that this is just a snippet of the watcher. You will need to write the other parts)

"actions": {
    "msteams_webhook": {
      "throttle_period_in_millis": 300000,
      "webhook": {
        "scheme": "https",
        "host": "starkindustries.webhook.office.com",
        "port": 443,
        "method": "post",
        "path": "/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234",
        "params": {},
        "headers": {},
        "body": """{
          "type": "TextBlock",
          "text": "This is a test. And you can use incoming data from watcher too like this: {{ctx.payload.hits.total}}"
        }"""
      }
    }
  }

NOTES:
Check connectivity first !!
It is always a nice idea to check if the connectivity is there between your elasticsearch instance and Microsoft teams. You can use the url which you have got to test.
Go to Kibana -> Stack Management -> Rules and Connectors -> Connectors

Then create a connector and use Microsoft Teams. Then give it a name and then put in the whole url you have got. Then save and test. Then in the test window type in a message and run the test. The result should be a success. And you will also see the message in the Microsoft teams app.

Mind that body !!
Another area where most people will trip is the message body.
Microsoft teams expects the incoming message in a certain format and if that is not matching you will get the infamous Bad payload received by generic incoming webhook.
The fields and the format in the body section of this watcher action are as per the standards expected from Microsoft Teams and not Elastic.
You can get more information on the format expectation from Microsoft Teams here.

Elasticsearch watcher alerts for Microsoft

Nostalgia: Once emails were a big thing. And now automated systems sending alerts on chat channels. Progess is good.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.