Oct 18 2019 12:30 PM
Here is how we have the Alert - Get incidents configured.
Here is the output we are getting.
"error": {
"code": 500,
"source": "logic-apis-eastus2.azure-apim.net",
"clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"message": "BadGateway",
"innerError": {
"status": 500,
"message": "Invalid subscription id or resource group\r\nclientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"source": "azuresentinel-eus2.azconn-eus2.p.azurewebsites.net"
}
}
Double checked both the subscription Id and the resource group and they are correct.
Anyone else seen this and know a fix for it?
Oct 19 2019 06:01 AM
Turns out this was an authentication problem between the sentinel workspace and the logic app. Got past that point now.
Oct 19 2019 08:23 AM
Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment. Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....
May 12 2020 06:43 AM