You can trigger an Azure Function directly from a Sumo Logic alert by configuring a webhook connection.
For example, you can create a scheduled search that triggers an Azure function when an administrator changes a user’s permissions. This function can then update a database to document the changes for audit purposes.
Create an Azure function
First, create an HTTP-triggered Azure function. For more information, see: https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook
- Create an Azure function using the template HttpTrigger-Powershell.
- Copy and paste code of the Azure function into the code field. The following example is an HTTP-triggered PowerShell function:
$requestBody = Get-Content $req -Raw | ConvertFrom-Json "Webhook Triggered" $requestBody.text $requestBody.raw $requestBody.num $requestBody.agg Out-File -Encoding Ascii -FilePath $res -inputObject "Hello Sumo Logic, from Azure Function"
- Click Save.
- Copy the function URL, as you will need it in the next section.
Create a Webhook connection
Configure the Webhook connection to trigger the Azure function.
- Go to Manage Data > Alerts > Connections.
- On the Connections page click Add.
- Select Azure Functions.
- In the Create Connection dialog, configure:
- Name. Enter the name of the connection.
- (Optional) Description, enter a description for the connection.
- URL. Enter the function URL for the endpoint from the previous section.
- (Optional) Authorization Header, enter an authorization header, which may include an authorization token.
- (Optional) Custom Headers, enter up to five comma separated key-value pairs.
- Payload. Enter a JSON object in the format required. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables.
- Click Test Connection. If the connection is made, you will see a 200 OK response message.
- Click Save.
Create a scheduled search
Scheduled searches are saved searches that run automatically at specified intervals. When a scheduled search is configured to send an alert, it can be sent to a connection via a webhook.
You can create a brand new search, or you can base a search on an existing saved or scheduled search. If you'd like to use an existing search, you'll need to save the query as a new search to not override the current schedule of the search. For instructions, see Scheduled Searches for Webhook Connections.
Create a metrics monitor
To trigger the Webhook connection, you can also use a metrics monitor. For instructions, see Metrics Monitors and Alerts.