Setting Up a Webhook for Microsoft Sentinel

LAST UPDATED: MAY 1, 2025

Creating a Logic App (Playbook)

Log into the Azure Portal.
Search for Logic apps using the search bar, then click the matching result.
Click the + Add button to create a new Logic app.
Choose the Multi-tenant option under the Consumption column, then click the Select button to proceed to the next step.
Configure the required fields.
1. Select the subscription.
2. Select the desired resource group.
3. Enter a unique Logic app name.
4. Select the region.
5. Choose the Yes option to enable log analytics.
6. Select the desired Log Analytics workspace.
Click the Review + create button to validate the app.
Confirm the details of the app, then click the Create button to create it.
Wait until the deployment is complete, then click the Go to resource button.

Adding Triggers and Actions

Adding the Microsoft Sentinel Incident Trigger

Select Development Tools > Logic app designer from the Logic App left menu, then click on the Add a trigger node.
Search for Microsoft Sentinel, then click the Trigger button in the Microsoft Sentinel Incident row.
Confirm that a connection has been established.

READER NOTE

Ensure the connection is established.
Retain the default value of the settings.

Adding the Run Query and List Results Action

Click the + button below the Microsoft Sentinel Incident trigger, then click the Add an action button.
Search for the Run query and list results action from Azure Monitor Logs using the search bar, then select the matching result.
Configure the parameters as follows.
1. Select the subscription.
2. Select the resource group.
3. Select the Log Analytics Workspace option in the Resource Type field.
4. Select the resource name.
5. Enter SecurityIncident | where TimeGenerated >= ago(1h) in the Query field.
6. Select the Set in query option in the Time Range field.

Adding the Initialize Variables Action

Add an Initialize variables action below the Run query and list results action.
1. Click the + button.
2. Click the Add an action button.
3. Enter Initialize variables in the search bar.
4. Select the matching result.
Configure the parameters as follows.
1. Enter Body in the Name field.
2. Select the Object option in the Type field.

Adding the Set Variable Action

Add a Set variable action below the Initialize variables step.
1. Click the + button.
2. Click the Add an action button.
3. Enter Set variable in the search bar.
4. Select the matching result.
Configure the parameters as follows.
1. Select the Body option in the Name field.
2. Enter the JSON below in the Value field.
  JSON
```
{
  "value": placeholder
}
```
3. Highlight the placeholder text.
4. Select the symbol that appears.
5. Enter object in the search bar.
6. Select the matching result.
The Value field should appear as follows:
Select the Code view tab, then confirm that the code appears as follows.

Adding the Compose Action

Add a Compose action below the Set variable action.
1. Click the + button.
2. Click the Add an action button.
3. Enter Compose in the search bar.
4. Select the matching result.
Configure the parameter as follows.
1. Select the Inputs field.
2. Select the symbol that appears.
3. Enter body in the search bar.
4. Select the matching result under the Variables row.
Select the Code view tab, then confirm that the code appears as follows.

Adding the Parse JSON Action

Add a Parse JSON action below the Compose action.
1. Click the + button.
2. Click the Add an action button.
3. Enter Parse JSON in the search bar.
4. Select the matching result.
Configure the Content field as follows.
1. Select the Content field.
2. Select the symbol that appears.
3. Enter body in the search bar.
4. Select the matching result under the Variables row.
Paste the code contained in the Schema JSON accordion into the Schema field.

Schema JSON

JSON

{
  "type": "object",
  "value": {
    "id": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "etag": {
      "type": "string"
    },
    "type": {
      "type": "string"
    },
    "properties": {
      "type": "object",
      "properties": {
        "title": {
          "type": "string"
        },
        "description": {
          "type": "string"
        },
        "severity": {
          "type": "string"
        },
        "status": {
          "type": "string"
        },
        "owner": {
          "type": "object",
          "properties": {
            "objectId": {},
            "email": {},
            "assignedTo": {},
            "userPrincipalName": {}
          }
        },
        "labels": {
          "type": "array"
        },
        "firstActivityTimeUtc": {
          "type": "string"
        },
        "lastActivityTimeUtc": {
          "type": "string"
        },
        "lastModifiedTimeUtc": {
          "type": "string"
        },
        "createdTimeUtc": {
          "type": "string"
        },
        "incidentNumber": {
          "type": "integer"
        },
        "additionalData": {
          "type": "object",
          "properties": {
            "alertsCount": {
              "type": "integer"
            },
            "bookmarksCount": {
              "type": "integer"
            },
            "commentsCount": {
              "type": "integer"
            },
            "alertProductNames": {
              "type": "array",
              "items": {
                "type": "string"
              }
            },
            "tactics": {
              "type": "array",
              "items": {
                "type": "string"
              }
            }
          }
        },
        "relatedAnalyticRuleIds": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "incidentUrl": {
          "type": "string"
        }
      }
    },
    "comments": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "string"
          },
          "name": {
            "type": "string"
          },
          "etag": {
            "type": "string"
          },
          "type": {
            "type": "string"
          },
          "properties": {
            "type": "object",
            "properties": {
              "message": {
                "type": "string"
              },
              "createdTimeUtc": {
                "type": "string"
              },
              "lastModifiedTimeUtc": {
                "type": "string"
              },
              "author": {
                "type": "object",
                "properties": {
                  "objectId": {
                    "type": "string"
                  },
                  "email": {},
                  "name": {
                    "type": "string"
                  },
                  "userPrincipalName": {}
                }
              }
            }
          }
        },
        "required": [
          "id",
          "name",
          "etag",
          "type",
          "properties"
        ]
      }
    },
    "alertDetails": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "TenantId": {
            "type": "string"
          },
          "TimeGenerated": {
            "type": "string"
          },
          "DisplayName": {
            "type": "string"
          },
          "AlertName": {
            "type": "string"
          },
          "AlertSeverity": {
            "type": "string"
          },
          "Description": {
            "type": "string"
          },
          "ProviderName": {
            "type": "string"
          },
          "VendorName": {
            "type": "string"
          },
          "VendorOriginalId": {
            "type": "string"
          },
          "SystemAlertId": {
            "type": "string"
          },
          "ResourceId": {
            "type": "string"
          },
          "SourceComputerId": {
            "type": "string"
          },
          "AlertType": {
            "type": "string"
          },
          "ConfidenceLevel": {
            "type": "string"
          },
          "ConfidenceScore": {},
          "IsIncident": {
            "type": "boolean"
          },
          "StartTime": {
            "type": "string"
          },
          "EndTime": {
            "type": "string"
          },
          "ProcessingEndTime": {
            "type": "string"
          },
          "RemediationSteps": {
            "type": "string"
          },
          "ExtendedProperties": {
            "type": "string"
          },
          "Entities": {
            "type": "string"
          },
          "Entities_json": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "$id": {
                  "type": "string"
                },
                "Name": {
                  "type": "string"
                },
                "NTDomain": {
                  "type": "string"
                },
                "Sid": {
                  "type": "string"
                },
                "IsDomainJoined": {
                  "type": "boolean"
                },
                "Type": {
                  "type": "string"
                },
                "Directory": {
                  "type": "string"
                },
                "FileHashes": {
                  "type": "array",
                  "items": {
                    "type": "object",
                    "properties": {
                      "$id": {
                        "type": "string"
                      },
                      "Algorithm": {
                        "type": "string"
                      },
                      "Value": {
                        "type": "string"
                      },
                      "Type": {
                        "type": "string"
                      }
                    },
                    "required": [
                      "$id",
                      "Algorithm",
                      "Value",
                      "Type"
                    ]
                  }
                },
                "CreatedTimeUtc": {
                  "type": "string"
                }
              },
              "required": [
                "$id",
                "Name",
                "Type"
              ]
            }
          },
          "SourceSystem": {
            "type": "string"
          },
          "WorkspaceSubscriptionId": {
            "type": "string"
          },
          "WorkspaceResourceGroup": {
            "type": "string"
          },
          "ExtendedLinks": {
            "type": "string"
          },
          "ProductName": {
            "type": "string"
          },
          "ProductComponentName": {
            "type": "string"
          },
          "AlertLink": {
            "type": "string"
          },
          "Status": {
            "type": "string"
          },
          "CompromisedEntity": {
            "type": "string"
          },
          "Tactics": {
            "type": "string"
          },
          "Techniques": {
            "type": "string"
          },
          "Type": {
            "type": "string"
          },
          "DecodedAlertedEvent": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "TenantId": {
                  "type": "string"
                },
                "SourceSystem": {
                  "type": "string"
                },
                "Account": {
                  "type": "string"
                },
                "AccountType": {
                  "type": "string"
                },
                "Computer": {
                  "type": "string"
                },
                "EventSourceName": {
                  "type": "string"
                },
                "Channel": {
                  "type": "string"
                },
                "Task": {
                  "type": "integer"
                },
                "Level": {
                  "type": "string"
                },
                "EventID": {
                  "type": "integer"
                },
                "Activity": {
                  "type": "string"
                },
                "AuthenticationPackageName": {
                  "type": "string"
                },
                "FailureReason": {
                  "type": "string"
                },
                "IpAddress": {
                  "type": "string"
                },
                "IpPort": {
                  "type": "string"
                },
                "KeyLength": {
                  "type": "integer"
                },
                "LmPackageName": {
                  "type": "string"
                },
                "LogonProcessName": {
                  "type": "string"
                },
                "LogonType": {
                  "type": "integer"
                },
                "LogonTypeName": {
                  "type": "string"
                },
                "Process": {
                  "type": "string"
                },
                "ProcessId": {
                  "type": "string"
                },
                "ProcessName": {
                  "type": "string"
                },
                "Status": {
                  "type": "string"
                },
                "SubjectAccount": {
                  "type": "string"
                },
                "SubjectDomainName": {
                  "type": "string"
                },
                "SubjectLogonId": {
                  "type": "string"
                },
                "SubjectUserName": {
                  "type": "string"
                },
                "SubjectUserSid": {
                  "type": "string"
                },
                "SubStatus": {
                  "type": "string"
                },
                "TargetAccount": {
                  "type": "string"
                },
                "TargetDomainName": {
                  "type": "string"
                },
                "TargetUserName": {
                  "type": "string"
                },
                "TargetUserSid": {
                  "type": "string"
                },
                "TransmittedServices": {
                  "type": "string"
                },
                "WorkstationName": {
                  "type": "string"
                },
                "SourceComputerId": {
                  "type": "string"
                },
                "EventOriginId": {
                  "type": "string"
                },
                "MG": {
                  "type": "string"
                },
                "ManagementGroupName": {
                  "type": "string"
                },
                "Type": {
                  "type": "string"
                },
                "TimeGenerated": {
                  "type": "string"
                },
                "FailedLogins": {
                  "type": "integer"
                }
              },
              "required": [
                "TenantId",
                "SourceSystem",
                "Account",
                "AccountType",
                "Computer",
                "EventSourceName",
                "Channel",
                "Task",
                "Level",
                "EventID",
                "Activity",
                "AuthenticationPackageName",
                "FailureReason",
                "IpAddress",
                "IpPort",
                "KeyLength",
                "LmPackageName",
                "LogonProcessName",
                "LogonType",
                "LogonTypeName",
                "Process",
                "ProcessId",
                "ProcessName",
                "Status",
                "SubjectAccount",
                "SubjectDomainName",
                "SubjectLogonId",
                "SubjectUserName",
                "SubjectUserSid",
                "SubStatus",
                "TargetAccount",
                "TargetDomainName",
                "TargetUserName",
                "TargetUserSid",
                "TransmittedServices",
                "WorkstationName",
                "SourceComputerId",
                "EventOriginId",
                "MG",
                "ManagementGroupName",
                "Type",
                "TimeGenerated",
                "FailedLogins"
              ]
            }
          }
        },
        "required": [
          "TenantId",
          "TimeGenerated",
          "DisplayName",
          "AlertName",
          "AlertSeverity",
          "Description",
          "ProviderName",
          "VendorName",
          "VendorOriginalId",
          "SystemAlertId",
          "ResourceId",
          "SourceComputerId",
          "AlertType",
          "ConfidenceLevel",
          "ConfidenceScore",
          "IsIncident",
          "StartTime",
          "EndTime",
          "ProcessingEndTime",
          "RemediationSteps",
          "ExtendedProperties",
          "Entities",
          "Entities_json",
          "SourceSystem",
          "WorkspaceSubscriptionId",
          "WorkspaceResourceGroup",
          "ExtendedLinks",
          "ProductName",
          "ProductComponentName",
          "AlertLink",
          "Status",
          "CompromisedEntity",
          "Tactics",
          "Techniques",
          "Type",
          "DecodedAlertedEvent"
        ]
      }
    }
  }
}

Adding an HTTP Action

Add an HTTP action below the Parse JSON action.
1. Click the + button.
2. Click the Add an action button.
3. Enter HTTP in the search bar.
4. Select the matching result.
Configure the parameters as follows.
1. Enter the webhook request URL from vSOC in the URI field.
2. Select the POST option in the Method field.
3. Enter d3key in the left Headers field.
4. Enter the header key value from vSOC in the right Headers field.
5. Select the Body field.
6. Select the symbol that appears.
7. Enter body in the search bar.
8. Select the matching result under the Variables row.

READER NOTE

Users can find their request URL and header key value in the following steps:

Log into vSOC.
Navigate to Configuration > Integrations.
Enter Microsoft Sentinel in the search bar, select the matching result, then click the Fetch Incident card.
Retrieve the request URL and header value.
1. Select the API Key option under the Webhook Authentication section.
2. Expand the desired site row.
3. Retrieve the request URL.
4. Retrieve the header value.

Adding a Send an Email (V2) Action

Add a Send an email (V2) action below the HTTP action.
1. Click the + button.
2. Click the Add an action button.
3. Enter Send an email (V2) in the search bar.
4. Select the matching result.
Configure the parameters as follows.
1. Enter the recipient address in the To field.
2. Enter the subject in the Subject field.
3. Enter the email body in the Body field.

Test Running the Logic App

Click the Save button to save the app.
Click the Run button, then select the Run option from the dropdown to manually trigger the workflow (without incident data).
Navigate to the Run history submenu item on the left to verify the workflow execution.
Navigate to the email account specified in Step 2a of Adding an HTTP Action to verify that an email was sent following successful execution.

Setting Up Automation

Enter Microsoft Sentinel in the search bar, then select the matching result.
Select the desired workspace.
Navigate to Configuration > Automation.
Click the + Create button, then select the Automation rule option.
Enter a name for the automation rule (e.g., Send Incidents to D3), then select the When incident is created option in the Trigger field.
Click the + Add button to include another condition, then select the Condition (And) option.
Define the condition.
1. Select the Severity option.
2. Select the Equals option.
3. Select the Select all option.
Select the Run playbook option in the Actions section, then select the Logic app previously created.
Click the Apply button to save the rule.
Ensure that the newly created automation rule is enabled.

Verifying Automation Rule Execution in vSOC

If incident data is being ingested, verify that the automation rule is functioning by checking for its ingestion job within vSOC.

Navigate to Configuration > Data Ingestion.
Click the Incident Intake tab, enter Microsoft Sentinel in the search bar, then select the site referenced in the request URL.
Verify successful execution of the automation rule by selecting the matching data ingestion run.
Locate the incident on the Investigation Dashboard.
1. Copy the incident number.
2. Open the Incidents accordion.
3. Select the All Incidents accordion item.
4. Paste and enter the incident number into the search bar.
5. Select the matching result.