Skip to content

Guide: Building a Logic App in Azure to Automate Conditional Actions

Integrations

Note: Only one instance of Microsoft Sentinel can be connected at a time.

This guide will show you how to create a Logic App in Azure that responds to incoming HTTP requests from NodeZero’s tripwire alerts and sends the data to Microsoft Sentinel as well as triggering different actions based on specific conditions. Follow these steps to create a similar flow as seen below.

figure A

Create a New Logic App.

Navigate to you Azure Portal

1. Log in to Azure Portal.

  • Search for Logic Apps in the search bar.

  • Click on Create Logic App and fill in the necessary details such as Subscription, Resource Group, and Region.

  • Once creation is complete click Go to resource.

  • Select Logic App Designer under Development tools in the menu on the left of the screen.

2. Add the Trigger

  • Choose the Trigger
  • Click Add a trigger and search for When an HTTP request is received as the trigger. This will allow your Logic App to listen for HTTP requests and act accordingly.
  • When prompted, leave the Request Body JSON Schema empty for now.

3. Define Conditions

  • Add a Condition to Check for a x-api-key Header.

  • After the HTTP request trigger, click on the + symbol and choose Add an action.

  • Search for Control and select Condition to add a conditional logic action.

  • Set up the condition to evaluate the x-api-key header in the HTTP request. To do this:

  • Add a new parameter by selecting the Headers object from the dynamic content.

Headers

  • Ensure you add x-api-key in the right field.

  • Click Save from the menu bar.

figure B

  • If using a stored Parameter create that now.

  • Click Parameters from the menu shown above and choose Create Parameter.

    • Name: ApiKey

    • Type: String

    • Default value:

  • Click Save from the menu bar.

  • Click Code view from the menu.

  • Set the condition to check if the x-api-key value matches a stored parameter (e.g., using an Azure Key Vault or a Logic App parameter as outlined above). In this example we are using a parameter named ApiKey defined in the logic app. In the Code view the section we are interested in will look like this and should be near the top.

    "type": "If",
"expression": {
  "and": [
    {
      "equals": [
        "@triggerOutputs()?['headers']",
        ""
      ]
    }
  ]
},

  • You need to add the x-api-key value and matcher like below.

    "type": "If",
"expression": {
  "and": [
    {
      "equals": [
        "@triggerOutputs()?['headers']['x-api-key']",
        "@parameters('ApiKey')"
      ]
    }
  ]
},

4. Define The True Branch Actions

  • Click Save from the menu bar and then click Designer from the same menu bar.

  • Add Send Data Action (for True Condition)

  • If the condition is met (True), click on the Add an action button inside the True branch.

  • Search for Azure Log Analytics Data Collector and select Send Data.

  • Fill in the required fields, Workspace ID and Workspace Key.

  • Choose the required parameters, below we are choosing the body which contains the information as well as a custom log name.

True

  • Add a Response Action.
    • Click + New step again and search for Response.
    • Set up the response that should be sent back after successfully creating the incident.
    • Customize the Status Code (e.g., 200 for success) and any optional details like a response message.

5. Define The False Branch Actions

  • Add a Response Action (for False Condition)

  • In the False branch, click Add an action.

  • Search for Response and configure it to return a different Status Code (e.g., 400 or 404, depending on your use case).

  • Optionally add a message indicating why the condition failed.

6. Save and configure in the NodeZero portal

  • Save Your Logic App

  • Click Save at the top of the Logic App designer.

  • Get the HTTP Request URL

  • After saving, return to the When an HTTP request is received trigger and copy the generated HTTP POST URL.

  • In the NodeZero portal navigate to Settings -> Integrations -> Tripwires Webhooks.

  • Click + for Microsoft Sentinel | Azure.
    • Name the connection
    • Enter the Endpoint URL
    • Add the Header
    • Name: x-api-key
    • Value:
    • Click Save

Config

  • You can now test your Webhook.

Summary

You have now created a Logic App that receives HTTP requests, evaluates a condition, and performs different actions based on whether the condition is true or false. The true branch sends data to Sentinel, and sends a response, while the false branch simply sends a different response.

From here you can expand on the actions with Sentinel automation and carry out further actions such as opening incidents, sending emails, etc.