Documentation

Microsoft Sentinel

Suggest Edits

Requirements

  • A Microsoft Azure account and subscription.
  • Your Azure account must have contributor permissions to the subscription in which the Microsoft Sentinel workspace resides
  • An email account from a service that works with Azure Logic Apps, such as Office 365 Outlook or Outlook.com
  • An Identity Security Insights account with administrator privileges.
  • An account that has access to the applicable tenant in Identity Security Insights.

Create a Logic App

  1. Login to the Azure portal and click Create a resource.
  2. Search for Logic App and select it.
  3. Click Create.
  4. Fill in the required information for your Logic App and click Create.
  5. Wait for the deployment to complete.

Configure Logic App for webhook reception and log forwarding

  1. Navigate to the logic app you created in the previous step, under the Logic Apps page.
  2. Go to Development Tools and click Logic App Designer
  3. In the designer, search for HTTP in the connectors search bar and select When an HTTP request is received.
  4. To configure the HTTP parameters, click Use sample payload to generate schema and enter the desired payload.
  5. Click Done > Save to save the node configurations.
  6. For this test integration, use the following Request Body JSON schema: 
{
							"properties": {
							"IncidentName": {
							"type": "string"
							},
							"IncidentNumber": {
							"type": "string"
							},
							"Severity": {
							"type": "string"
							},
							"description": {
							"type": "string"
							}
							},
							"type": "object"
							}
  1. Add a new action by searching for Data operations and selecting Parse JSON.
  2. Select Body as the content.
  3. Click Use sample payload to generate schema.
  4. Enter the same JSON schema used in the previous step.
  5. Click Done.
  6. Save the node configurations.
  7. Add a new action to send Data, and provide the Connection Name, Workspace ID, and Workspace Key. To obtain this information, go to Log Analytics Workspace, click Agents, and view the information supplied when downloading a Windows agent.
  8. Once you provide the details of connection parameters, enter the following information under the Parameters tab:
    • The JSON Request Body. Click fx and select Dynamic content, then search for Body and click Add.
    • Add a custom log name for data sent from Identity Security Insights.
  9. The Send Data panel should show, under Parameters, JSON Request Body: Body, and Custom Log Name: the name you entered.
  10. The nodes on the Logic App designer should show HTTP Request -> Parse JSON -> Send Data.
  11. Click the HTTP request node and copy the HTTP POST URL. This URL is required to create the webhook.

Create a webhook integration for Azure Sentinel

  1. In Identity Security Insights, select your tenant.

  2. In Insights, click icon > Insights > Integrations.
    The Integrations page displays the available integrations.

  3. Click Webhooks or your product.
    The Summary page displays.

  4. Click Create Integration.
    The Configure Integration page displays.

  5. To create the webhook, enter the following:

    • Webhook Name: Enter your desired name.
    • Webhook URL: Use the URL copied from the HTTP node.
    • Authorization Type: None.
    • Webhook template: Use the following test webhook JSON template to test the connection and send a webhook to Microsoft Azure Sentinel. After a successful test with the static test data, the template can be configured. Create or change the fields and add variables as per your requirements.
{
    "IncidentName": "An account in your environment has a personal email address",
    "IncidentNumber": "INC112312",
    "description":"Suspicious Account detected in AD",
    "Severity":"Critical"
}

Send webhooks dynamically

To dynamically send a webhook, go to Home > Detections > Detection Details > Insurance Details, click Take Action, and click Azure Sentinel.

Test the Azure Sentinel webhook

  1. Within Azure, navigate to the Logic app > Overview.
  2. Under the Runs History tab, the results of the test run are visible.
  3. Log data can also be viewed.
  4. Within Azure, navigate to Logs > Custom Logs.
  5. Locate the custom log name created earlier for data sent from Identity Security Insights.
  6. The results of the test run are visible.

ℹ️

Note

Once the webhook testing has been completed with static data, configure the webhook with desired variables for sending data to Microsoft Azure Sentinel.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.