cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Sentinel Logic App Action Incident ID

Gary Bushey
Bronze Contributor

‎Sep 23 2019 07:47 AM

‎Sep 23 2019 07:47 AM

Azure Sentinel Logic App Action Incident ID

I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID.

 

Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions?  I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.

8,205 Views
1 Like
26 Replies
Reply
26 Replies
ryanksmith

‎Nov 10 2019 06:59 PM

‎Nov 10 2019 06:59 PM

RE: Azure Sentinel Logic App Action Incident ID

Thanks @Gary Bushey  Still broke if I take the body from an API pull (which works) will call premier support this week now that its GA

0 Likes
Reply
Cristian Calinescu

‎Nov 21 2019 03:40 AM

‎Nov 21 2019 03:40 AM

RE: Azure Sentinel Logic App Action Incident ID

@ryanksmith @Gary Bushey @ClémentB This only works for alert rules that are query based, because you can attach a playbook to them on the Automated Response tab. But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? I couldn't find a way other than a logic app which gets all newly created security alerts from the Microsoft Graph than takes the Alert ID and checks if an Azure Sentinel incident exists with that alert ID, and if it does continues with actions like log a SNOW ticket and send an email notification. But it's messy and doesn't really work as expected (sometimes it generates duplicate incidents). Anyway if anyone has any idea on how you could, at the moment and with the current functionalities, create a logic app which gets all newly created Azure Sentinel incidents and that you could set to run automatically so you could also get the Microsoft Security rules incidents, please kindly share. Hope the above makes sense.

0 Likes
Reply
OskarEnfo

‎Dec 27 2019 05:49 AM

‎Dec 27 2019 05:49 AM

RE: Azure Sentinel Logic App Action Incident ID

Hey Gary,

Do you still have that Number as dynamic content? Cause I don't resulting in not being able to add comments to incidents.
0 Likes
Reply
Gary Bushey

‎Dec 27 2019 05:52 AM

‎Dec 27 2019 05:52 AM

RE: Azure Sentinel Logic App Action Incident ID

@OskarEnfo Yes, it is still dynamic and it is still working (just checked).

1 Like
Reply
OskarEnfo

‎Dec 27 2019 07:00 AM

‎Dec 27 2019 07:00 AM

RE: Azure Sentinel Logic App Action Incident ID

Thanks, I appriciate it. Wondering what the issue is as what else I see is the same? I struggle to see that previous steps would be needed for number to show up. Can it be different levels of licensing? I ended up raising a support ticket with ms.
0 Likes
Reply
simlad

‎Jan 29 2020 12:44 PM

‎Jan 29 2020 12:44 PM

RE: Azure Sentinel Logic App Action Incident ID

Hi @Gary Bushey and everyone, I did pretty much the same thing but every time I get the same error :

 

BadRequest.

OUTPUTS

{
"error": {
"code": 400,
"source": "logic-apis-canadacentral.azure-apim.net",
"clientRequestId": "888590e9-f530-4bff-a879-c47f8c04a631",
"message": "The response is not in a JSON format.",
"innerError": "Invalid subscription id or resource group"
}
}

 

The subscription ID I used is the Azure Sentinel dynamic content "Subscription ID" so how could it be invalid? Any idea on how I could make my "Get Incident" work?

Thanks in advance for your help.

0 Likes
Reply
Gary Bushey

‎Jan 29 2020 12:48 PM

‎Jan 29 2020 12:48 PM

RE: Azure Sentinel Logic App Action Incident ID

@simlad I would try hard-coding the values for your subscription (GUID) and resource group name to see if it works that way.  If it does then you are getting bad values from the trigger and that will be the next thing to look at.

 

You could also try to output all the values from the trigger into an Email or Teams message to see what you are getting.

0 Likes
Reply