Alert - Get incident Error when attempting to Auto Remediate Cloud App Security Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-2202763%22%20slang%3D%22en-US%22%3EAlert%20-%20Get%20incident%20Error%20when%20attempting%20to%20Auto%20Remediate%20Cloud%20App%20Security%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202763%22%20slang%3D%22en-US%22%3E%3CP%3EFollowing%20the%20creation%20of%20a%20LogicApp%20to%20auto%20remediate%20Cloud%20App%20Security%20alerts%2C%20I%20receive%20the%20following%20error%20for%20the%20Alert%20-%20Get%20incident%3A%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22statusCode%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E404%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22headers%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Access-Control-Allow-Methods%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22GET%2C%26nbsp%3BPUT%2C%26nbsp%3BPATCH%2C%26nbsp%3BDELETE%2C%26nbsp%3BPOST%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Access-Control-Allow-Origin%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22*%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Access-Control-Max-Age%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%223600%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Access-Control-Expose-Headers%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22*%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Date%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Thu%2C%26nbsp%3B11%26nbsp%3BMar%26nbsp%3B2021%26nbsp%3B15%3A35%3A46%26nbsp%3BGMT%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Content-Length%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2254%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Content-Type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22application%2Fjson%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22body%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22statusCode%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E404%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Resource%26nbsp%3Bnot%26nbsp%3Bfound%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDoes%20anyone%20have%20any%20idea%20why%20this%20might%20be%20occurring%3F%20I%20followed%20the%20instructions%20from%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%40priscilaviana%2Fplaybook-for-azure-sentinel-mcas-integration-f939746d3209%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EPlaybook%20for%20Azure%20Sentinel%20%26amp%3B%20MCAS%20integration%20%7C%20by%20Priscila%20Viana%20%7C%20Medium%3C%2FA%3E%26nbsp%3BThank%20you%20in%20advance!%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2203023%22%20slang%3D%22en-US%22%3ERe%3A%20Alert%20-%20Get%20incident%20Error%20when%20attempting%20to%20Auto%20Remediate%20Cloud%20App%20Security%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2203023%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3ECould%20you%20share%20what%20you%20are%20providing%20as%20input%20in%20the%20Get%20Incident%20step%3F%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20double%20checking%3A%20There%20is%20an%20incident%20for%20this%20alert%20(viewable%20from%20the%20GUI%3F)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2211687%22%20slang%3D%22en-US%22%3ERe%3A%20Alert%20-%20Get%20incident%20Error%20when%20attempting%20to%20Auto%20Remediate%20Cloud%20App%20Security%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2211687%22%20slang%3D%22en-US%22%3EThe%20following%20is%20the%20input%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22method%22%3A%20%22get%22%2C%3CBR%20%2F%3E%22path%22%3A%20%22%2FIncidents%2Fsubscriptions%2F9836142a-7fce-4366-a0fb-c969265b1153%2FresourceGroups%2FEast-Prod-Sentinel-RG%2Fworkspaces%2F246cb7e4-8c78-4ba8-a725-3db560777362%2Falerts%2F%22%2C%3CBR%20%2F%3E%22host%22%3A%20%7B%3CBR%20%2F%3E%22connection%22%3A%20%7B%3CBR%20%2F%3E%22name%22%3A%20%22%2Fsubscriptions%2F9836142a-7fce-4366-a0fb-c969265b1153%2FresourceGroups%2FEast-Prod-Sentinel-RG%2Fproviders%2FMicrosoft.Web%2Fconnections%2Fazuresentinel%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20yes!%3C%2FLINGO-BODY%3E
New Contributor

Following the creation of a LogicApp to auto remediate Cloud App Security alerts, I receive the following error for the Alert - Get incident: 

{
    "statusCode"404,
    "headers": {
        "Access-Control-Allow-Methods""GET, PUT, PATCH, DELETE, POST",
        "Access-Control-Allow-Origin""*",
        "Access-Control-Max-Age""3600",
        "Access-Control-Expose-Headers""*",
        "Date""Thu, 11 Mar 2021 15:35:46 GMT",
        "Content-Length""54",
        "Content-Type""application/json"
    },
    "body": {
        "statusCode"404,
        "message""Resource not found"
    }
}
 
Does anyone have any idea why this might be occurring? I followed the instructions from this Playbook for Azure Sentinel & MCAS integration | by Priscila Viana | Medium Thank you in advance!
4 Replies
Hi

Could you share what you are providing as input in the Get Incident step?

Just double checking: There is an incident for this alert (viewable from the GUI?)
The following is the input:

{
"method": "get",
"path": "/Incidents/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/workspaces/246cb7e4-8c78-4ba8-a725-3db560777362/alerts/",
"host": {
"connection": {
"name": "/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/providers/Microsoft.Web/connections/azuresentinel"
}
}
}

And yes!
Can you share the details of that step.
This is my code for my Get-Incident
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},


I don't think you are passing the right parameters within your Get-Incident action