Azure Sentinel via Webhooks
Microsoft Azure Sentinel is a cloud-native security information and event management (SIEM) tool that provides intelligent security analytics for your organization. This guide will walk you through the process of setting up Azure Sentinel to inject Peakhour events via webhooks into a custom table. This will help security engineers better understand and analyze Peakhour events to enhance the security posture of their organization.
Prerequisites:#
- An Azure subscription.
- Access to the Azure Portal.
- A Log Analytics workspace.
Step 1: Create a Logic App#
- Log into your Azure dashboard.
- Click on "Create a resource".
- Search for "Logic App" and select it.
- Click on "Create".
- Fill in the required information for your Logic App and click "Create".
- Wait for the deployment to complete.
Step 2: Configure Logic App to Receive Webhooks and Forward Logs to Log Analytics#
- Navigate to the Logic App you created in Step 1.
- Click on "Logic App Designer" under the "Development Tools" section.
- In the designer, search for "HTTP" in the connectors search bar and select "When a HTTP request is received".
- Configure the HTTP trigger with the appropriate method (POST) and JSON schema for Peakhour events.
- Add a new action by searching for "Azure Log Analytics" and selecting "Send Data".
- Connect to your Log Analytics workspace by providing the necessary credentials (Workspace ID, Shared Key).
- In the "Custom Log Name" field, enter the desired table name (suggested is PeakhourEvent).
- Map the fields from the HTTP request to the Log Analytics fields.
- Save the Logic App.
Step 3: Configure Peakhour to Send Logs via Webhooks#
- Log into your Peakhour dashboard.
- Navigate to the domain for which you want to forward logs to Azure.
- Under Log Forwarding, go to the Webhooks form.
- Enter the Logic App HTTP request URL as the webhook URL.
- Select the log type to be 'Event'.
- Submit the configuration.
Step 4: Verify the Integration#
Now that you have set up the integration, it's important to verify that the Peakhour events are being collected and stored in the custom table.
- Navigate to the Azure Sentinel dashboard in the Azure Portal.
- In the left-hand menu, click on "Logs".
- In the query editor, enter the following KQL query:
PeakhourEvent_CL | take 10
- Click on "Run" to execute the query. You should see the most recent Peakhour events in the custom table, along with the enriched fields.
This how-to guide has shown you the process of setting up Azure Sentinel to inject Peakhour events via webhooks into a custom table. By following these steps, security engineers can better monitor, analyze, and respond to Peakhour events, improving the overall security of their organization.