Forum Discussion

Hogank's avatar
Hogank
Copper Contributor
Mar 11, 2021

Alert - Get incident Error when attempting to Auto Remediate Cloud App Security Alerts

Following the creation of a LogicApp to auto remediate Cloud App Security alerts, I receive the following error for the Alert - Get incident: 

{
    "statusCode"404,
    "headers": {
        "Access-Control-Allow-Methods""GET, PUT, PATCH, DELETE, POST",
        "Access-Control-Allow-Origin""*",
        "Access-Control-Max-Age""3600",
        "Access-Control-Expose-Headers""*",
        "Date""Thu, 11 Mar 2021 15:35:46 GMT",
        "Content-Length""54",
        "Content-Type""application/json"
    },
    "body": {
        "statusCode"404,
        "message""Resource not found"
    }
}
 
Does anyone have any idea why this might be occurring? I followed the instructions from this Playbook for Azure Sentinel & MCAS integration | by Priscila Viana | Medium Thank you in advance!

4 Replies

Sort By
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Mar 11, 2021
    Hi

    Could you share what you are providing as input in the Get Incident step?

    Just double checking: There is an incident for this alert (viewable from the GUI?)
      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        Mar 25, 2021
        Can you share the details of that step.
        This is my code for my Get-Incident
        "Alert_-_Get_incident": {
        "inputs": {
        "host": {
        "connection": {
        "name": "@parameters('$connections')['azuresentinel']['connectionId']"
        }
        },
        "method": "get",
        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
        },
        "runAfter": {},
        "type": "ApiConnection"
        },


        I don't think you are passing the right parameters within your Get-Incident action
    • Hogank's avatar
      Hogank
      Copper Contributor
      Mar 15, 2021
      The following is the input:

      {
      "method": "get",
      "path": "/Incidents/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/workspaces/246cb7e4-8c78-4ba8-a725-3db560777362/alerts/",
      "host": {
      "connection": {
      "name": "/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/providers/Microsoft.Web/connections/azuresentinel"
      }
      }
      }

      And yes!

Resources