Configure the webhook in Microsoft Sentinel

Configure webhook endpoints so that Microsoft Sentinel can use the endpoint to communicate with Incident Response.

Before you begin

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.


  1. Log in to your Microsoft Sentinel application console.
  2. Navigate to Azure services > Logic apps.
  3. Create a logic app based on your workflow requirements.
    For detailed information about creating Logic Apps, see the section Create a Consumption logic app resource.
  4. After your logic app is successfully deployed, select Go to resource. You can also select your logic app resource by typing the name in the Azure search box.
    Logic app resource.
  5. In the Logic app designer, under Templates, select Blank Logic App.
    Blank logic app.
  6. Search for and select Microsoft Sentinel.
  7. Under Triggers, select Microsoft Sentinel alert (preview).
    Select trigger.
  8. Click New step.
  9. In the new step to choose an operation, search for and select HTTP.
  10. From the Actions tab, select HTTP.
    Select HTTP.
  11. In the HTTP form, fill in these fields:
    Field Description
    Method Select POST
    URI Enter the webhook URL copied from Lightstep Incident Response.
    Body Select Body from the Add Dynamic Content list.

    Add webhook URL.

  12. Click Save.

What to do next

Add the logic app containing the webhook URL from Lightstep Incident Response to your Microsoft Sentinel analytics rules.
  1. Navigate to Azure services > Microsoft Sentinel.
  2. Select your workspace.
  3. From the navigation panel, under Configuration, select Analytics.
  4. Create or edit a Scheduled query rule.
  5. Add the conditions for your rule.

    For detailed information about creating analytics rules, see Create a custom analytics rule with a scheduled query.

  6. On the Automated response tab, from the Alert automation list, select the logic app playbook containing the webhook URL from Lightstep Incident Response.

    Select playbook.

  7. Complete the rule creation and click Save.

Depending on your analytics rules, alerts triggered in Microsoft Sentinel will create alerts in Lightstep Incident Response.