Azure Sentinel Logic App Get Incidents is failing with BadGateway

Question

Here is how we have the Alert - Get incidents configured.&nbsp;&nbsp;Here is the output we are getting.&nbsp;&nbsp;&nbsp;"error": {"code": 500,"source": "logic-apis-eastus2.azure-apim.net","clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba","message": "BadGateway","innerError": {"status": 500,"message": "Invalid subscription id or resource group
clientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba","source": "azuresentinel-eus2.azconn-eus2.p.azurewebsites.net"}}&nbsp;Double checked both the subscription Id and the resource group and they are correct.&nbsp;&nbsp;&nbsp;Anyone else seen this and know a fix for it?

judydixon · Answer

judydixon&nbsp;Turns out this was an authentication problem between the sentinel workspace and the logic app.&nbsp; Got past that point now.&nbsp;

bogglor · Answer

Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment.&nbsp; Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....

akefallonitis · Answer

bogglor&nbsp;judydixon&nbsp;&nbsp;&nbsp;Can you share the permissions you grant to the app for this to work please?

Forum Discussion

Azure Sentinel Logic App Get Incidents is failing with BadGateway

Share

Resources