Alert - Get incident

%3CLINGO-SUB%20id%3D%22lingo-sub-1382876%22%20slang%3D%22en-US%22%3EAlert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382876%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20am%20trying%20to%20implement%20a%20Logic%20App%20with%20Alert%20-%20Get%20incident%20with%20an%20Azure%20Sentinel%20alert%20trigger%20and%20i%20get%20the%20following%20error%20when%20running%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22error%22%3A%20%7B%0A%20%20%20%20%22code%22%3A%20400%2C%0A%20%20%20%20%22source%22%3A%20%22logic-apis-northeurope.azure-apim.net%22%2C%0A%20%20%20%20%22clientRequestId%22%3A%20%22adc961ce-781a-406b-9f24-f02580e7f386%22%2C%0A%20%20%20%20%22message%22%3A%20%22The%20response%20is%20not%20in%20a%20JSON%20format.%22%2C%0A%20%20%20%20%22innerError%22%3A%20%22Invalid%20subscription%20id%20or%20resource%20group%22%0A%20%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383294%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383294%22%20slang%3D%22en-US%22%3EActually%20i%20need%20to%20retrieve%20sentinel%20incidents%20using%20logic%20app%20can%20anyone%20share%20a%20way%20to%20do%20it%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383727%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3BI%20just%20wrote%20a%20blog%20post%20on%20doing%20that.%26nbsp%3B%20%26nbsp%3BMake%20sure%20to%20read%20Part%201%20and%202%20as%20I%20changed%20some%20of%20the%20ways%20I%20did%20the%20logic%20app%20in%20Part%202.%26nbsp%3B%20%26nbsp%3BPart%203%20gives%20you%20a%20workbook%20to%20start%20from%20that%20uses%20the%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F05%2F07%2Fingesting-azure-sentinel-incident-information-into-log-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F05%2F07%2Fingesting-azure-sentinel-incident-information-into-log-analytics%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383768%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Gary%20very%20nice!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20one%20question%20what%20permissions%20the%20app%20needs%20to%20have%20to%20access%20and%20write%20the%20incidents%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383914%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383914%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3Bthat%20was%20mentioned%20in%20the%20blog%20post%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOne%20additional%20step%20you%20will%20need%20to%20take%20is%20to%20give%20this%20App%20the%20Azure%20Sentinel%20Reader%20rights%20at%20the%20some%20level.%20You%20can%20use%20either%20the%20Subscription%2C%20Resource%20Group%2C%20or%20Log%20Analytics%20workspace%20level%20and%20I%20would%20recommend%20the%20Log%20Analytics%20workspace%20level%20just%20for%20added%20security.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1384220%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20did%20not%20notice%20that.%20One%20last%20question%20the%20write%20to%20the%20log%20analytics%20does%20not%20require%20additional%20write%20permissions%20for%20the%20app%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1386083%22%20slang%3D%22en-US%22%3ERE%3A%20Alert%20-%20Get%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1386083%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3BStrangely%20no.%26nbsp%3B%20I%20just%20the%20app%20the%20read%20permissions%20and%20it%20worked%20just%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hey,


I am trying to implement a Logic App with Alert - Get incident with an Azure Sentinel alert trigger and i get the following error when running:

 

 

{
  "error": {
    "code": 400,
    "source": "logic-apis-northeurope.azure-apim.net",
    "clientRequestId": "adc961ce-781a-406b-9f24-f02580e7f386",
    "message": "The response is not in a JSON format.",
    "innerError": "Invalid subscription id or resource group"
  }
}

 

As i validated all the parameters and permissions seem correct i dont know what i am doing wrong.

Anyone had any similar issue ?

 

6 Replies
Actually i need to retrieve sentinel incidents using logic app can anyone share a way to do it ?

@akefallonitis I just wrote a blog post on doing that.   Make sure to read Part 1 and 2 as I changed some of the ways I did the logic app in Part 2.   Part 3 gives you a workbook to start from that uses the data.

 

https://www.garybushey.com/2020/05/07/ingesting-azure-sentinel-incident-information-into-log-analyti...

@Gary Bushey 

 

Hi Gary very nice!

 

Just one question what permissions the app needs to have to access and write the incidents ?

@akefallonitis that was mentioned in the blog post:

 

One additional step you will need to take is to give this App the Azure Sentinel Reader rights at the some level. You can use either the Subscription, Resource Group, or Log Analytics workspace level and I would recommend the Log Analytics workspace level just for added security.

@Gary Bushey 

 

Thanks again did not notice that. One last question the write to the log analytics does not require additional write permissions for the app ?

@akefallonitis Strangely no.  I just the app the read permissions and it worked just fine.