Integrating with Microsoft Flow

Learn how to send AuditWolf webhook events into Microsoft Flow

Through AuditWolf webhooks, you can send important events that AuditWolf detects in your Azure infrastructure directly into Microsoft Flow, so you can then automate workflow to meet your specific business needs. This could be anything from sending messages to your CloudOps crew via Microsoft Teams or Slack to opening or closing tickets in ServiceNow. You're only limited by your imagination... and an understanding of how to setup Microsoft Flow to work with AuditWolf. 

The rest of this document explains how to do just that.

Step 1 - Login to Microsoft Flow

To start, head over to https://flow.microsoft.com and sign in. To use AuditWolf with Microsoft Flow, you will need to have a PREMIUM license of MS Flow to use webhooks. 

Step 2 - Create a new flow

Start by clicking the "Create" button on the left side of the screen...

Under "Start from blank", select "Automated flow"...

When the dialog pops up, enter a unique name to represent this flow like "AuditWolf alert", and then hit "Skip". We will set the trigger later using a PREMIUM feature of Microsoft Flow that isn't available during the creation wizard...

In the "Search connectors and triggers" search box, enter "When a HTTP request is received"...

... and you will see a PREMIUM feature available to you. Select "When a HTTP request is received" in the Triggers section of the dialog...

In the HTTP step, select the option to "Use sample payload to generate schema"...

This will open up a dialog to enter in a sample payload for Microsoft Flow to parse so it can understand what it will receive. If you would like more detailed information on how an AuditWolf webhook payload works, please refer to our AuditWolf Webhooks Reference guide.

When prompted, paste in the following sample JSON data...

{
     "awid": "28878173-1d37-432b-a3e3-faeaeb62f1d1",
     "id": "d9d41ada-c2be-4643-87f3-c73980257fdd",
     "objectid": "80ce9fa0-c865-4460-aeed-43c9ac534474",
    "type": "task.create",
     "timestamp": "2019-01-14T23:28:56.782Z",
     "subscriptionId": "a8bd955b-86f8-4413-919d-a89910462c04",
     "resourceId": "/subscriptions/.../providers/Microsoft.Web/sites/webApp01",
     "resourceName": "webApp01",  
    "summary": "Configure the webApp01 web app service to use more than one instance.",
     "severity": "MEDIUM",
     "uri": "https://portal.auditwolf.com/tasks/80ce9fa0-c865-4460-aeed-43c9ac534474"    
}

Once pasted, click "Done".

 

At this point Microsoft will convert the sample payload into a proper schema it can understand. You will now be able to access any part of an AuditWolf event payload directly in Microsoft Flow.

To demonstrate this, let's create a conditional step to filter for only when AuditWolf detects a violation against policy and creates a new Task for you. We can do this by looking for task.create events. Start by selecting a new step...

Select a "Control condition" in the Actions pane...

In the Condition block, select a value of "type" from the Dynamic content popup. This maps to the AuditWolf webhook event type sent to Microsoft Flow. Make sure the condition check is set to "is equal to" and the value is "task.create". 

At this point you can now add any action you like in the "if yes" block. Whenever AuditWolf detects a new issue, it will trigger an event to Microsoft Flow and execute whatever automation action you put in that block.

Once you have setup whatever action you like. Hit Save. Once you do this, Microsoft will generate a unique callback URL you can setup in AuditWolf to fire events. You can see this URL if you go back into the flow and expand "When a HTTP request is received"...

Record that HTTP POST URL, and then head to the AuditWolf Portal.

Step 3 - Setup an AuditWolf webhook

From the AuditWolf Portal, select Settings from the menu on the left...

Select the "Webhooks" tab and then click "Add Endpoint" button ...

When prompted, complete the fields in the dialog. Make sure you copy the entire Microsoft Flow URL and paste it in the Callback URL field. Select at least one subscription you wish to monitor and select the desired events you want to track. In this workflow, we are tracking "Issues detected or resolved", which will send task.create, task.suppress and task.complete events.

Hit "Add Endpoint". It will save the webhook and generate a new signing secret you can use to verify the digital signature of events sent by AuditWolf to guarantee authenticity... 

NOTE: This is the only time you will see that signing secret. Once you hit "Close" that value will never be shown again. If you need a new signing secret you will be forced to create a new webhook and delete the old one.

For more information on advanced configurations like verifying the security and authenticity of AuditWolf events, please review the AuditWolf Webhooks Reference guide.

Step 4 - Enjoy the integration goodness...

That's it. Any time a webhook is triggered that matches your configuration AuditWolf will send a message to your callback URL in Microsoft Flow. Where you take it from here is only up to your imagination. If you make something cool, please let us know at help@auditwolf.com so we can share your awesomeness with the team!