Forum Discussion
Azure Sentinel Logic App Action Incident ID
You need to use System Alert ID
ryanksmith I just tried this again and I was NOT able to get it to work yet.
Any update of the topic ? I just had the same HTTP 400 mentionned above
Here is my Playbook
- Sentinel input
- Mail approval
- Approved: post message on Teams --> It works
- Refused: close the incident --> Same error as GaryBushey
simlad I would try hard-coding the values for your subscription (GUID) and resource group name to see if it works that way. If it does then you are getting bad values from the trigger and that will be the next thing to look at.
You could also try to output all the values from the trigger into an Email or Teams message to see what you are getting.
Hi GaryBushey and everyone, I did pretty much the same thing but every time I get the same error :
BadRequest.
OUTPUTS
{
"error": {
"code": 400,
"source": "logic-apis-canadacentral.azure-apim.net",
"clientRequestId": "888590e9-f530-4bff-a879-c47f8c04a631",
"message": "The response is not in a JSON format.",
"innerError": "Invalid subscription id or resource group"
}
}The subscription ID I used is the Azure Sentinel dynamic content "Subscription ID" so how could it be invalid? Any idea on how I could make my "Get Incident" work?
Thanks in advance for your help.
- Thanks, I appriciate it. Wondering what the issue is as what else I see is the same? I struggle to see that previous steps would be needed for number to show up. Can it be different levels of licensing? I ended up raising a support ticket with ms.
OskarEnfo Yes, it is still dynamic and it is still working (just checked).
- Hey Gary,
Do you still have that Number as dynamic content? Cause I don't resulting in not being able to add comments to incidents. ryanksmith GaryBushey Molx32 This only works for alert rules that are query based, because you can attach a playbook to them on the Automated Response tab. But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? I couldn't find a way other than a logic app which gets all newly created security alerts from the Microsoft Graph than takes the Alert ID and checks if an Azure Sentinel incident exists with that alert ID, and if it does continues with actions like log a SNOW ticket and send an email notification. But it's messy and doesn't really work as expected (sometimes it generates duplicate incidents). Anyway if anyone has any idea on how you could, at the moment and with the current functionalities, create a logic app which gets all newly created Azure Sentinel incidents and that you could set to run automatically so you could also get the Microsoft Security rules incidents, please kindly share. Hope the above makes sense.
Thanks GaryBushey Still broke if I take the body from an API pull (which works) will call premier support this week now that its GA
GaryBusheyTried not luck, are you able to post your work flow, will tr y a few others once I get back into the office on Tuesday
I just tried this again this morning and it worked! I did completely get rid of the actions and started over but it worked 🙂
Molx32 I have pinged MS about it last week but have not heard anything back from them.
