09-23-2019 07:47 AM
09-23-2019 07:47 AM
I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID.
Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions? I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.
09-24-2019 12:57 PM
Thanks for that information. Any idea why it would throw a
"Key 'Token' not found in connection profile"
09-24-2019 03:15 PM
09-26-2019 09:35 AM
That did the trick. I must have looked at the list of possible variables a dozen time and missed it every time! Thanks for all of your help!
09-27-2019 12:34 PM
@Nicholas DiCola (SECURITY JEDI) A little more weirdness. I can get my Incident, post a comment back to my Incident, Generate a Service Now Incident, and then post a message to Teams (in that order) just fine. However, if I try to post a comment back to my incident AFTER generating a ServiceNow incident I get the following error message (which talks about changing settings in a webapp that I certainly don't have access to). Any ideas?
11-09-2019 05:40 AM
I just tried this again this morning and it worked! I did completely get rid of the actions and started over but it worked :)
11-21-2019 03:40 AM
@ryanksmith @Gary Bushey @ClementBonnet This only works for alert rules that are query based, because you can attach a playbook to them on the Automated Response tab. But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? I couldn't find a way other than a logic app which gets all newly created security alerts from the Microsoft Graph than takes the Alert ID and checks if an Azure Sentinel incident exists with that alert ID, and if it does continues with actions like log a SNOW ticket and send an email notification. But it's messy and doesn't really work as expected (sometimes it generates duplicate incidents). Anyway if anyone has any idea on how you could, at the moment and with the current functionalities, create a logic app which gets all newly created Azure Sentinel incidents and that you could set to run automatically so you could also get the Microsoft Security rules incidents, please kindly share. Hope the above makes sense.
12-27-2019 05:49 AM
12-27-2019 07:00 AM
01-29-2020 12:44 PM
Hi @Gary Bushey and everyone, I did pretty much the same thing but every time I get the same error :
"message": "The response is not in a JSON format.",
"innerError": "Invalid subscription id or resource group"
The subscription ID I used is the Azure Sentinel dynamic content "Subscription ID" so how could it be invalid? Any idea on how I could make my "Get Incident" work?
Thanks in advance for your help.
01-29-2020 12:48 PM
@simlad I would try hard-coding the values for your subscription (GUID) and resource group name to see if it works that way. If it does then you are getting bad values from the trigger and that will be the next thing to look at.
You could also try to output all the values from the trigger into an Email or Teams message to see what you are getting.
by leoszalkowski on May 29, 2020
by CurlX on May 28, 2020
by Christine_Alford on May 29, 2020