Description: Canary supports outgoing Webhooks from your Console to an endpoint of your choice. This event-driven approach means you get sent alerts as they happen!
In this guide, we’ll send data to a Microsoft Sentinel instance, using an Azure logic app. Logic Apps allow you to set up an HTTP listener for us to push alert data to.
Note: We also support Flock-specific Webhooks - see our guide here.
Step 1: Creating a Logic App.
You will need to have an endpoint to post notifications to. This can be created using Logic Apps.
Head over to your Azure portal page, then head over to Logic apps.
Add a new Logic App.
Enter your preferred Resource group, App name, region, and plan type, then select Review + create when done.
Review your settings and select Create when you're to deploy.
Select Go to resource, once the app has finished deploying.
Step 2: Configure your Logic App.
Select When a HTTP request is received as your app's starting trigger.
We can now start designing our Logic App, with the HTTP listener as our 1st phase, select + New Step
to add the next operation.
The 2nd phase of the app will be to send the data off to Sentinel, search for and select the Azure Log Analytics Data Collector as our next action.
You will now be prompted for your logging workspace details, click Create once complete.
Note: A guide on how to get your workspace ID and Key, is available below, click here to jump there.
Select the Body data source for the JSON Request body field. Then set a desired Custom Log Name.
Once complete, click on Save to finalize your Log App and generate a listener URL.
Note: Your Custom Log name will be the name of the table, where logs are later inserted into and queried from.
Your listener URL is now available in the 1st logic operation and can be copied from the HTTP POST URL field shown below.
Step 3: Configure your Canary Console.
Head over to your Console Global Settings.
Scroll down and expand the Webhooks, select the + button on the Generic webhook option and paste your listener URL into the text field. Finally, click Add.
Your webhook has now been added globally to your Console and alert data will be sent to Sentinel.
Note: Webhooks can be configured on a per flock basis too, a guide is available here.
Step 4: Querying Alert data.
Head over to your Sentinel Log Analytics Workspace.
Selecting logs, a new Custom Logs entry has now been created, this table can be queried for your Canary Console alerts.
Double-clicking on the table name, will pre-populate the table in your search query and show recent alerts.
You're done! ;-)
(Optional) Getting your Workspace ID and Key
Head over to the Log Analytics workspaces and select the workspace hosting your Sentinel instance.
Next, head over to Agents management.
Your workspace ID and Key are now viewable from this menu.