cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Azure Sentinel Logic App Get Incidents is failing with BadGateway

%3CLINGO-SUB%20id%3D%22lingo-sub-918936%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918936%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20how%20we%20have%20the%20Alert%20-%20Get%20incidents%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138507i14E830DDABFCFBED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20output%20we%20are%20getting.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20500%2C%3CBR%20%2F%3E%22source%22%3A%20%22logic-apis-eastus2.azure-apim.net%22%2C%3CBR%20%2F%3E%22clientRequestId%22%3A%20%22123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22BadGateway%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22status%22%3A%20500%2C%3CBR%20%2F%3E%22message%22%3A%20%22Invalid%20subscription%20id%20or%20resource%20group%5Cr%5CnclientRequestId%3A%20123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22source%22%3A%20%22azuresentinel-eus2.azconn-eus2.p.azurewebsites.net%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDouble%20checked%20both%20the%20subscription%20Id%20and%20the%20resource%20group%20and%20they%20are%20correct.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20seen%20this%20and%20know%20a%20fix%20for%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919684%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426748%22%20target%3D%22_blank%22%3E%40judydixon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20out%20this%20was%20an%20authentication%20problem%20between%20the%20sentinel%20workspace%20and%20the%20logic%20app.%26nbsp%3B%20Got%20past%20that%20point%20now.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919732%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919732%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%2C%20it%20is%20not%20documented%20on%20the%20github%20that%20in%20order%20to%20deploy%20the%20playbook%20ARM%20templates%2C%20one%20of%20the%20steps%20is%20you%20MUST%20give%20the%20service%20principal%20you're%20using%20for%20the%20initial%20%22when%20an%20event%20happens%22%20sentinel%20trigger%20the%20necessary%20reader%20permissions%20(at%20minimum)%20to%20the%20log%20analytics%20workspace%20serving%20your%20sentinel%20deployment.%26nbsp%3B%20Seems%20obvious%2C%20sure%2C%20but%20it%20also%20seems%20obvious%20that%20it%20should%20be%20documented%20in%20the%20step%20by%20step%20install%20instructions%20in%20the%20readme....%3C%2FP%3E%3C%2FLINGO-BODY%3E
judydixon
judydixon
New Contributor

‎10-18-2019 12:30 PM

‎10-18-2019 12:30 PM

Azure Sentinel Logic App Get Incidents is failing with BadGateway

Here is how we have the Alert - Get incidents configured.

 

clipboard_image_1.png

 

Here is the output we are getting.  

 

"error": {
"code": 500,
"source": "logic-apis-eastus2.azure-apim.net",
"clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"message": "BadGateway",
"innerError": {
"status": 500,
"message": "Invalid subscription id or resource group\r\nclientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"source": "azuresentinel-eus2.azconn-eus2.p.azurewebsites.net"
}
}

 

Double checked both the subscription Id and the resource group and they are correct.  

 

Anyone else seen this and know a fix for it?

139 Views
0 Likes
2 Replies
Reply
2 Replies
judydixon

‎10-19-2019 06:01 AM

‎10-19-2019 06:01 AM

Re: Azure Sentinel Logic App Get Incidents is failing with BadGateway

@judydixon 

Turns out this was an authentication problem between the sentinel workspace and the logic app.  Got past that point now. 

0 Likes
Reply
bogglor

‎10-19-2019 08:23 AM

‎10-19-2019 08:23 AM

Re: Azure Sentinel Logic App Get Incidents is failing with BadGateway

Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment.  Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
The announcement regarding self-service purchase capabilities for Power Platform products??
 Kelly E in Office 365 on 10-21-2019
64 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
29 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies