Add Comment to incident fails with error 500

%3CLINGO-SUB%20id%3D%22lingo-sub-983160%22%20slang%3D%22en-US%22%3EAdd%20Comment%20to%20incident%20fails%20with%20error%20500%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-983160%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3EI've%20created%20a%20playbook%20to%20create%20incident%20in%20our%20ticketing%20system%20which%20then%20returns%20back%20ticketing%20system%20incident%20ID%20which%20I%20want%20to%20add%20as%20comment%20to%20Sentinel%20Incident.%20However%20it%20fails%20with%20error%20500%20and%20no%20explanation.%3C%2FP%3E%3CP%3EHere's%20an%20example%20workflow%2C%20where%20I%20have%20removed%20incident%20creation%20in%20ticketing%20system%2C%20however%20adding%20comment%20still%20fails.%20On%20another%20hand%2C%20using%20same%20connections%20adding%20tag%2Flabel%20to%20incident%20works%20fine.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154866i6F79D41A038710DA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHere's%20an%20error%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E500%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22source%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22logic-apis-westeurope.azure-apim.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22clientRequestId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22ea454747-d040-4417-88c8-841d4cc5dd87%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22BadGateway%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22innerError%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22debugInfo%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22clientRequestId%3A%20ea454747-d040-4417-88c8-841d4cc5dd87%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ELogicApp%20with%20playbook%20has%20been%20registered%20in%20Azure%20AD%2C%20Azure%20Sentinel%20and%20Log%20Analytics%20Contributor%20roles%20have%20been%20added.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EService%20principal%20for%20API%20connection%20to%20Azure%20Sentinel%20has%20been%20created%20and%26nbsp%3BAzure%20Sentinel%20and%20Log%20Analytics%20Contributor%20roles%20have%20been%20added.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20would%20appreciate%26nbsp%3Bany%20help.%20Thanks!%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EGunars%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-983160%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecomment%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elabel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-984281%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20Comment%20to%20incident%20fails%20with%20error%20500%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-984281%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444133%22%20target%3D%22_blank%22%3E%40GunarsL%3C%2FA%3E%26nbsp%3BI%20think%20that%20error%20can%20be%20resolved%20by%20re-authenticating%20your%20Sentinel%20connector%20however%20it%20will%20then%20throw%20another%20error%20about%20not%20returning%20proper%20JSON%20which%20Microsoft%20is%20working%20on%20resolving.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi!

I've created a playbook to create incident in our ticketing system which then returns back ticketing system incident ID which I want to add as comment to Sentinel Incident. However it fails with error 500 and no explanation.

Here's an example workflow, where I have removed incident creation in ticketing system, however adding comment still fails. On another hand, using same connections adding tag/label to incident works fine.

clipboard_image_0.png

Here's an error:

{
"error": {
"code": 500,
"source": "logic-apis-westeurope.azure-apim.net",
"clientRequestId": "ea454747-d040-4417-88c8-841d4cc5dd87",
"message": "BadGateway",
"innerError": {
"debugInfo": "clientRequestId: ea454747-d040-4417-88c8-841d4cc5dd87"
}
}
}
LogicApp with playbook has been registered in Azure AD, Azure Sentinel and Log Analytics Contributor roles have been added.
Service principal for API connection to Azure Sentinel has been created and Azure Sentinel and Log Analytics Contributor roles have been added.
I would appreciate any help. Thanks!
Gunars
1 Reply
Highlighted

@GunarsL I think that error can be resolved by re-authenticating your Sentinel connector however it will then throw another error about not returning proper JSON which Microsoft is working on resolving.