Skip to main content

Search

How do I configure Webhook notifications for Microsoft Sentinel?

Description: Canary supports outgoing Webhooks from your Console to an endpoint of your choice. This event-driven approach means you get sent alerts as they happen!

In this guide, we’ll send data to a Microsoft Sentinel instance, using an Azure logic app. Logic Apps allow you to set up an HTTP listener for us to push alert data to. 

Note: We also support Flock-specific Webhooks - see our guide here.

Step 1: Creating a Logic App.

You will need to have an endpoint to post notifications to. This can be created using Logic Apps.

Head over to your Azure portal page, then head over to Logic apps.

mceclip0.png

Add a new Logic App.

mceclip1.png

Enter your preferred Resource group, App name, region, and plan type, then select Review + create when done.

mceclip2.png

Review your settings and select Create when you're to deploy.

mceclip3.png

Select Go to resource, once the app has finished deploying.

mceclip4.png

Step 2: Configure your Logic App.

Select When a HTTP request is received as your app's starting trigger.

mceclip5.png

We can now start designing our Logic App, with the HTTP listener as our 1st phase, select + New Step

to add the next operation.

mceclip6.png

The 2nd phase of the app will be to send the data off to Sentinel, search for and select the Azure Log Analytics Data Collector as our next action. 

mceclip7.png

You will now be prompted for your logging workspace details, click Create once complete.

Note: A guide on how to get your workspace ID and Key, is available below, click here to jump there.

mceclip11.png

Select the Body data source for the JSON Request body field. Then set a desired Custom Log Name.

Once complete, click on Save to finalize your Log App and generate a listener URL.

Note: Your Custom Log name will be the name of the table, where logs are later inserted into and queried from.

mceclip12.png

Your listener URL is now available in the 1st logic operation and can be copied from the HTTP POST URL field shown below.

mceclip13.png

 

Step 3: Configure your Canary Console.

Head over to your Console Global Settings.

mceclip14.png

Scroll down and expand the Webhooks, select the + button on the Generic webhook option and paste your listener URL into the text field. Finally, click Add.

mceclip16.png

Your webhook has now been added globally to your Console and alert data will be sent to Sentinel.

Note: Webhooks can be configured on a per flock basis too, a guide is available here.

Step 4: Querying Alert data.

Head over to your Sentinel Log Analytics Workspace.

mceclip17.png

Selecting logs, a new Custom Logs entry has now been created, this table can be queried for your Canary Console alerts.

Double-clicking on the table name, will pre-populate the table in your search query and show recent alerts.

mceclip18.png

You're done! ;-)

(Optional) Getting your Workspace ID and Key

Head over to the Log Analytics workspaces and select the workspace hosting your Sentinel instance.

mceclip9.png

Next, head over to Agents management.

mceclip8.png

Your workspace ID and Key are now viewable from this menu.

mceclip10.png

Was this article helpful?
3 out of 3 found this helpful
Return to top