Guide: Building a Logic App in Azure to Automate Conditional Actions
Integrations
Note: Only one instance of Azure Sentinel can be connected at a time.
This guide will show you how to create a Logic App in Azure that responds to incoming HTTP requests from Nodezero’s tripwire alerts and sends the data to Azure Sentinel as well as triggering different actions based on specific conditions. Follow these steps to create a similar flow as seen below.
Create a New Logic App.
Navigate to you Azure Portal
1. Log in to Azure Portal.
-
Search for
Logic Apps
in the search bar. -
Click on
Create Logic App
and fill in the necessary details such as Subscription, Resource Group, and Region. -
Once creation is complete click
Go to resource
. -
Select
Logic App Designer
under Development tools in the menu on the left of the screen.
2. Add the Trigger
- Choose the Trigger
- Click
Add a trigger
and search forWhen an HTTP request is received
as the trigger. This will allow your Logic App to listen for HTTP requests and act accordingly. - When prompted, leave the Request Body JSON Schema empty for now.
3. Define Conditions
-
Add a Condition to Check for a
x-api-key
Header. -
After the
HTTP request trigger
, click on the+
symbol and chooseAdd an action
. -
Search for
Control
and selectCondition
to add a conditional logic action. -
Set up the condition to evaluate the
x-api-key header
in the HTTP request. To do this: -
Add a new parameter by selecting the
Headers object
from the dynamic content. -
Ensure you add
x-api-key
in the right field. -
Click
Save
from the menu bar.
-
If using a stored Parameter create that now.
-
Click
Parameters
from the menu shown above and chooseCreate Parameter
.-
Name:
ApiKey
-
Type:
String
-
Default value:
-
-
Click
Save
from the menu bar. -
Click
Code view
from the menu. -
Set the condition to check if the
x-api-key
value matches a stored parameter (e.g., using an Azure Key Vault or a Logic App parameter as outlined above). In this example we are using a parameter named ApiKey defined in the logic app. In the Code view the section we are interested in will look like this and should be near the top."type": "If", "expression": { "and": [ { "equals": [ "@triggerOutputs()?['headers']", "" ] } ] },
-
You need to add the
x-api-key
value and matcher like below."type": "If", "expression": { "and": [ { "equals": [ "@triggerOutputs()?['headers']['x-api-key']", "@parameters('ApiKey')" ] } ] },
4. Define The True Branch Actions
-
Click
Save
from the menu bar and then clickDesigner
from the same menu bar. -
Add
Send Data
Action (for True Condition) -
If the condition is met (True), click on the
Add an action
button inside the True branch. -
Search for
Azure Log Analytics Data Collector
and selectSend Data
. -
Fill in the required fields, Workspace ID and Workspace Key.
-
Choose the required parameters, below we are choosing the body which contains the information as well as a custom log name.
-
Add a
Response Action
.- Click
+
New step again and search forResponse
. - Set up the response that should be sent back after successfully creating the incident.
- Customize the Status Code (e.g., 200 for success) and any optional details like a response message.
- Click
5. Define The False Branch Actions
-
Add a
Response Action
(for False Condition) -
In the False branch, click
Add an action
. -
Search for
Response
and configure it to return a different Status Code (e.g., 400 or 404, depending on your use case). -
Optionally add a message indicating why the condition failed.
6. Save and configure in the Nodezero portal
-
Save Your Logic App
-
Click
Save
at the top of the Logic App designer. -
Get the HTTP Request URL
-
After saving, return to the
When an HTTP request is received
trigger and copy the generatedHTTP POST URL
. -
In the Nodezero portal navigate to
integrations
. -
Click
Create Webhook
.- Name the connection to your liking
- Enter the Endpoint URL
- Add the Header
- Name:
x-api-key
- Value:
- Click
Save
-
You can now test your Webhook.
Summary
You have now created a Logic App that receives HTTP requests, evaluates a condition, and performs different actions based on whether the condition is true or false. The true branch sends data to Sentinel, and sends a response, while the false branch simply sends a different response.
From here you can expand on the actions with Sentinel automation and carry out further actions such as opening incidents, sending emails, etc.