Home

Azure Sentinel Logic App write back to comment

%3CLINGO-SUB%20id%3D%22lingo-sub-854900%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854900%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20write%20the%20output%20of%20a%20HTTP%20GET%20(Which%20works)%20to%20a%20comment%26nbsp%3B%20in%20Sentinel%2C%20from%20my%20review%20it%20appears%20as%20if%20the%20ID's%20and%20Groups%20are%20set%20correctly%20but%20I%20am%20getting%20a%20Bad%20Request.%26nbsp%3B%20Has%20anyone%20had%20any%20success%20writing%20back%20to%20comments%20(yes%20I%20know%20this%20is%20preview)%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20610px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F131737i20653CF689B591FC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-09-13%2010_28_11-Window.png%22%20title%3D%222019-09-13%2010_28_11-Window.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-857803%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-857803%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20not%20get%20it%20to%20work%20but%20I%20got%20a%20401%20error%20code%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-873131%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873131%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20not%20get%20it%20to%20work%20but%20I%20got%20a%20401%20error%20code%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3EDid%20you%20do%20a%20step%20before%20to%20%22get%20incident%22%3F%26nbsp%3B%20you%20need%20to%20do%20that%20to%20get%20the%20incident%20id.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877351%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877351%22%20slang%3D%22en-US%22%3EIf%20you%20are%20still%20having%20issues%2C%20look%20at%20my%20thread%20on%20writing%20comments.%20Nicholas%20gave%20me%20all%20the%20steps%20needed%20to%20get%20it%20to%20work%20there.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-878252%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-878252%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BYes%20checked%20that%2C%20and%20ensured%20I%20have%20the%20Get%20Incident%20Blade%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3BWondering%20if%20its%20an%20issue%20with%20my%26nbsp%3B%20%22For%20Each%22%26nbsp%3B%20will%20play%20with%20the%20order%20and%20see%20if%20that%20fixes%20it%20will%20post%20if%20successful%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-884951%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-884951%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20796px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134841i60CFFD90F1E2EA87%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-09-30%2020_15_33-Greenshot%20image%20editor.png%22%20title%3D%222019-09-30%2020_15_33-Greenshot%20image%20editor.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20moved%20the%20get%20Incident%20blade%20around%2C%20still%20get%20the%20same%20400%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Fstrict.dtd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Fstrict.dtd%3C%2FA%3E%22%26gt%3B%3CBR%20%2F%3E%3CTITLE%3EBad%20Request%3C%2FTITLE%3E%3CBR%20%2F%3E%26lt%3Bmeta%20http-equiv%3D%22%22Content-Type%22%22%20content%3D%22%22text%2Fhtml%3B%22%20charset%3D%22us-ascii%22%22%20%2F%26gt%3B%3CBR%20%2F%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%3EBad%20Request%20-%20Invalid%20URL%3C%2FH2%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3CP%3EHTTP%20Error%20400.%20The%20request%20URL%20is%20invalid.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-885350%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885350%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3Bcan%20you%20show%20your%20settings%20for%20%22Add%20comment%20to%20incident%22%3F%26nbsp%3B%20%26nbsp%3BBTW%2C%20I%20get%20an%20error%20on%20this%20action%20after%20creating%20a%20Service%20Now%20ticket%20so%20I%20think%20there%20is%20definitely%20some%20sort%20of%20but%20in%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-886086%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-886086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20-%20yes%20here%20is%20how%20I%20have%20it%20setup%3A%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20581px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134937i0D719FD76BCB22EB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-10-01%2007_46_17-Microsoft%20Edge.png%22%20title%3D%222019-10-01%2007_46_17-Microsoft%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887220%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BI'm%20beginning%20to%20think%20there%20is%20a%20bug%20where%20anything%20that%20is%20not%20static%20text%20in%20the%20%22Specify%20incident%20comment%22%20throws%20an%20error.%26nbsp%3B%20%26nbsp%3BPlan%20on%20looking%20into%20this%20a%20bit%20more%20tomorrow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887301%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20-%20Looks%20like%20our%20errors%20are%20exactly%20the%20same%2C%20your%20bang%20on%2C%20static%20works%20fine%20something%20about%20the%20input%20throws%20it%20off%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134995i307A1A4842265214%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-10-01%2014_07_23-Microsoft%20Edge.png%22%20title%3D%222019-10-01%2014_07_23-Microsoft%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-890854%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BFYI%2C%20I%20am%20working%20(%20or%20at%20least%20I%20provided%20them%20with%20my%20test%20cases)%20with%20someone%20from%20MS%20in%20regards%20to%20this%20issue.%26nbsp%3B%20What%20I%20have%20found%20is%20that%20if%20you%20use%20the%20comment%20feature%20without%20any%20dynamic%20content%20it%20works%20fine.%26nbsp%3B%20Once%20you%20have%20it%20use%20dynamic%20content%20it%20stops%20working%20and%20the%20only%20way%20to%20get%20it%20back%20is%20to%20delete%20the%20entire%20logic%20app%20and%20recreate%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20updates%20as%20I%20get%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E
ryanksmith
Occasional Contributor

Hi All,

 

I am trying to write the output of a HTTP GET (Which works) to a comment  in Sentinel, from my review it appears as if the ID's and Groups are set correctly but I am getting a Bad Request.  Has anyone had any success writing back to comments (yes I know this is preview) 

 

2019-09-13 10_28_11-Window.png

10 Replies

I did not get it to work but I got a 401 error code

@ryanksmith 

Hi

Did you do a step before to "get incident"?  you need to do that to get the incident id.

If you are still having issues, look at my thread on writing comments. Nicholas gave me all the steps needed to get it to work there.

Thanks, @Gary Bushey   Yes checked that, and ensured I have the Get Incident Blade as per @Nicholas DiCola (SECURITY JEDI) Wondering if its an issue with my  "For Each"  will play with the order and see if that fixes it will post if successful

2019-09-30 20_15_33-Greenshot image editor.png

 

Have moved the get Incident blade around, still get the same 400 error

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid URL</h2>
<hr><p>HTTP Error 400. The request URL is invalid.</p>
</BODY></HTML>

@ryanksmith can you show your settings for "Add comment to incident"?   BTW, I get an error on this action after creating a Service Now ticket so I think there is definitely some sort of but in there.

@Gary Bushey  - yes here is how I have it setup:  2019-10-01 07_46_17-Microsoft Edge.png

@ryanksmith I'm beginning to think there is a bug where anything that is not static text in the "Specify incident comment" throws an error.   Plan on looking into this a bit more tomorrow.

@Gary Bushey  - Looks like our errors are exactly the same, your bang on, static works fine something about the input throws it off 

2019-10-01 14_07_23-Microsoft Edge.png

@ryanksmith FYI, I am working ( or at least I provided them with my test cases) with someone from MS in regards to this issue.  What I have found is that if you use the comment feature without any dynamic content it works fine.  Once you have it use dynamic content it stops working and the only way to get it back is to delete the entire logic app and recreate it.

 

More updates as I get them

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies