Home

Azure Sentinel Logic App Get Incidents is failing with BadGateway

%3CLINGO-SUB%20id%3D%22lingo-sub-918936%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918936%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20how%20we%20have%20the%20Alert%20-%20Get%20incidents%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138507i14E830DDABFCFBED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20output%20we%20are%20getting.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20500%2C%3CBR%20%2F%3E%22source%22%3A%20%22logic-apis-eastus2.azure-apim.net%22%2C%3CBR%20%2F%3E%22clientRequestId%22%3A%20%22123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22BadGateway%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22status%22%3A%20500%2C%3CBR%20%2F%3E%22message%22%3A%20%22Invalid%20subscription%20id%20or%20resource%20group%5Cr%5CnclientRequestId%3A%20123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22source%22%3A%20%22azuresentinel-eus2.azconn-eus2.p.azurewebsites.net%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDouble%20checked%20both%20the%20subscription%20Id%20and%20the%20resource%20group%20and%20they%20are%20correct.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20seen%20this%20and%20know%20a%20fix%20for%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919684%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426748%22%20target%3D%22_blank%22%3E%40judydixon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20out%20this%20was%20an%20authentication%20problem%20between%20the%20sentinel%20workspace%20and%20the%20logic%20app.%26nbsp%3B%20Got%20past%20that%20point%20now.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919732%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919732%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%2C%20it%20is%20not%20documented%20on%20the%20github%20that%20in%20order%20to%20deploy%20the%20playbook%20ARM%20templates%2C%20one%20of%20the%20steps%20is%20you%20MUST%20give%20the%20service%20principal%20you're%20using%20for%20the%20initial%20%22when%20an%20event%20happens%22%20sentinel%20trigger%20the%20necessary%20reader%20permissions%20(at%20minimum)%20to%20the%20log%20analytics%20workspace%20serving%20your%20sentinel%20deployment.%26nbsp%3B%20Seems%20obvious%2C%20sure%2C%20but%20it%20also%20seems%20obvious%20that%20it%20should%20be%20documented%20in%20the%20step%20by%20step%20install%20instructions%20in%20the%20readme....%3C%2FP%3E%3C%2FLINGO-BODY%3E
judydixon
New Contributor

Here is how we have the Alert - Get incidents configured.

 

clipboard_image_1.png

 

Here is the output we are getting.  

 

"error": {
"code": 500,
"source": "logic-apis-eastus2.azure-apim.net",
"clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"message": "BadGateway",
"innerError": {
"status": 500,
"message": "Invalid subscription id or resource group\r\nclientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"source": "azuresentinel-eus2.azconn-eus2.p.azurewebsites.net"
}
}

 

Double checked both the subscription Id and the resource group and they are correct.  

 

Anyone else seen this and know a fix for it?

2 Replies

@judydixon 

Turns out this was an authentication problem between the sentinel workspace and the logic app.  Got past that point now. 

Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment.  Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies