Prerequisites
Before starting, make sure you have:
An active Azure subscription
Microsoft Sentinel enabled on a Log Analytics workspace
Permissions to:
Create Azure Logic Apps
Assign roles in Microsoft Sentinel
Access to your Spikerz workspace settings
Step 1 – Create an Azure Logic App
Sign in to the Azure Portal
Navigate to Logic Apps
Click Create
Configuration
Plan: Workflow Service Plan (recommended for simplicity and lower cost)
Subscription: Select your Azure subscription
Resource Group: Use the same resource group as your Sentinel workspace (recommended)
Region: Choose the same region as your Sentinel workspace
Logic App name:
spikerz-sentinel-webhook
Click Review + Create, then Create.
Step 2 – Create a New Workflow
Open the Logic App you just created
Click Workflows → Add
Name the workflow: spikerz-sentinel-webhook
Choose Stateless
Step 3 – Open Code View
Inside the workflow, click Code view
You will paste a full Logic App definition in the next step
⚠️ Important: This will overwrite the workflow definition. Only do this on a new workflow.
Step 4 – Paste the Logic App Definition
Copy and paste the following JSON into the Code view:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"http_request": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"accountId": {
"type": "string"
},
"workspaceId": {
"type": "string"
},
"assetUsername": {
"type": "string"
},
"platform": {
"type": "string"
},
"workspaceName": {
"type": "string"
},
"type": {
"type": "string"
},
"category": {
"type": "string"
},
"timestamp": {
"type": "string"
},
"sourceType": {
"type": "string"
},
"metadata": {
"type": "object"
}
},
"required": [
"accountId",
"workspaceId",
"type",
"category",
"timestamp",
"sourceType"
]
}
}
}
},
"actions": {
"create_sentinel_incident": {
"type": "Http",
"inputs": {
"method": "PUT",
"uri": "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.OperationalInsights/workspaces/<WORKSPACE_NAME>/providers/Microsoft.SecurityInsights/incidents/@{guid()}?api-version=2025-09-01",
"authentication": {
"type": "ManagedServiceIdentity"
},
"headers": {
"Content-Type": "application/json"
},
"body": {
"properties": {
"title": "@{concat('Spikerz: ', coalesce(triggerBody()?['type'],'alert'), ' | ', coalesce(triggerBody()?['platform'],'unknown'), ' | ', coalesce(triggerBody()?['assetUsername'],'unknown'))}",
"description": "@{concat('Source: ', coalesce(triggerBody()?['sourceType'],'spikerz'), '\n', 'AccountId: ', coalesce(triggerBody()?['accountId'],'-'), '\n', 'Workspace: ', coalesce(triggerBody()?['workspaceName'], triggerBody()?['workspaceId'], '-'), '\n', 'Category: ', coalesce(triggerBody()?['category'],'-'), '\n', 'Type: ', coalesce(triggerBody()?['type'],'-'), '\n', 'Timestamp: ', coalesce(triggerBody()?['timestamp'],'-'), '\n\n', 'Metadata:\n', string(coalesce(triggerBody()?['metadata'], json('{}'))), '\n\n', 'Raw:\n', string(triggerBody()))}",
"severity": "@{if(or(equals(toLower(coalesce(triggerBody()?['category'],'')),'accountsecurity'), equals(toLower(coalesce(triggerBody()?['type'],'')),'email_change')), 'Medium', 'Low')}",
"status": "New",
"labels": [
{
"labelName": "spikerz"
},
{
"labelName": "@{concat('platform:', toLower(coalesce(triggerBody()?['platform'],'unknown')))}"
},
{
"labelName": "@{concat('category:', toLower(coalesce(triggerBody()?['category'],'unknown')))}"
},
{
"labelName": "@{concat('type:', toLower(coalesce(triggerBody()?['type'],'unknown')))}"
}
]
}
}
},
"runAfter": {}
},
"http_response": {
"type": "Response",
"kind": "Http",
"inputs": {
"statusCode": 200,
"body": {
"status": "ok",
"sentinelIncidentCreated": true
}
},
"runAfter": {
"create_sentinel_incident": [
"Succeeded"
]
}
}
},
"outputs": {}
},
"kind": "Stateless"
}
In another tab open Microsoft sentinel settings:
Click on workspace settings:
Step 5 – Replace Required Placeholders
In the Logic App code you pasted earlier, locate the following placeholders and replace them with the corresponding values from your Microsoft Sentinel environment:
<SUBSCRIPTION_ID>→ Your Azure subscription ID<RESOURCE_GROUP>→ The resource group that contains your Sentinel workspace<WORKSPACE_NAME>→ The name of your Log Analytics (Sentinel) workspace
Make sure all three values are updated correctly before saving the Logic App.
Step 6 – Save and Retrieve the HTTP Endpoint
Click Save, then go to the Designer and click on "http request" box:
Copy the HTTP URL and keep it for later:
Copy the Logic App’s managed identity (Object ID):
In Sentinel, add new role and select: "Microsoft Sentinel Contributor"
Step 7 – Assign Permissions (Managed Identity)
Choose "Managed identity" and search for the Logic App’s managed identity (Object ID):
Step 8 – Configure Spikerz
Navigate to your profile and tap on "Settings" button.
Go to the Settings section and tap on "Workspace". In this screen tap on "Connect SIEM" button.
Choose the desired provider from the existing providers (Microsoft Sentinel) then enter the "http request" URL we copied earlier.
Click "Test SIEM alerts" and check the logs in Microsoft Sentinel:
If it works, click "Save" and turn it on:
