Azure Sentinel Logic App Get Incidents is failing with BadGateway

New Contributor

Here is how we have the Alert - Get incidents configured.




Here is the output we are getting.  


"error": {
"code": 500,
"source": "",
"clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"message": "BadGateway",
"innerError": {
"status": 500,
"message": "Invalid subscription id or resource group\r\nclientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"source": ""


Double checked both the subscription Id and the resource group and they are correct.  


Anyone else seen this and know a fix for it?

3 Replies


Turns out this was an authentication problem between the sentinel workspace and the logic app.  Got past that point now. 

Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment.  Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....

@bogglor @judydixon 


 Can you share the permissions you grant to the app for this to work please?