Docs
Integration

Microsoft Sentinel

Two supported paths: a Logic App that consumes the webhook and writes to a custom table (simplest), or the Logs Ingestion API via a Data Collection Rule (best for high volume).

Option A · Logic App

  1. Azure Portal → Create a resource → Logic App.
  2. Add trigger: When an HTTP request is received.
  3. Copy the generated HTTP URL; paste it into the LeakJar webhook url field in Console → Projects → Webhooks.
  4. Add action: Azure Monitor Logs → Send Data → custom log table LeakJar_CL.

Option B · Logs Ingestion API (DCR)

For higher throughput and lower latency, run an Azure Function that receives the webhook and posts to the Logs Ingestion endpoint of a Data Collection Rule. Map columns from the webhook’s data.* fields (email, source, severity, breachDate, monitoredDomainId) — the domain is identified by ID, not name. Schema for the custom table:

leakjar-schema.jsonjson
{
  "columns": [
    { "name": "TimeGenerated",    "type": "datetime" },
    { "name": "EventId",          "type": "string" },
    { "name": "EventName",         "type": "string" },
    { "name": "MonitoredDomainId", "type": "string" },
    { "name": "Email",             "type": "string" },
    { "name": "Severity",          "type": "string" },
    { "name": "SourceName",        "type": "string" },
    { "name": "Raw",               "type": "dynamic" }
  ]
}

KQL examples

kqltext
// Critical exposures per domain in the last 30 days
LeakJar_CL
| where EventName == "exposureAlert.created"
| where Severity == "critical"
| summarize count() by MonitoredDomainId, bin(TimeGenerated, 1d)

// Join Sentinel IdentityInfo with LeakJar alerts
LeakJar_CL
| where EventName == "exposureAlert.created"
| join kind=inner IdentityInfo on $left.Email == $right.AccountName

Analytic rule template

Turn LeakJar alerts into Sentinel incidents whenever a VIP account is exposed:

analytic-rule.yamlyaml
displayName: "LeakJar — VIP credential exposure"
severity: High
query: |
  let vips = dynamic(["cto@acme.com", "ceo@acme.com"]);
  LeakJar_CL
    | where EventName == "exposureAlert.created"
    | where Email in~ (vips)
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: PT5M
queryPeriod: PT5M
Events arrive with the HMAC signature in X-LeakJar-Signature. See the webhook docs for the verification recipe.