Home

Azure Sentinel Logic App Get Incidents is failing with BadGateway

%3CLINGO-SUB%20id%3D%22lingo-sub-918936%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918936%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20how%20we%20have%20the%20Alert%20-%20Get%20incidents%20configured.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138507i14E830DDABFCFBED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20output%20we%20are%20getting.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20500%2C%3CBR%20%2F%3E%22source%22%3A%20%22logic-apis-eastus2.azure-apim.net%22%2C%3CBR%20%2F%3E%22clientRequestId%22%3A%20%22123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22BadGateway%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22status%22%3A%20500%2C%3CBR%20%2F%3E%22message%22%3A%20%22Invalid%20subscription%20id%20or%20resource%20group%5Cr%5CnclientRequestId%3A%20123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba%22%2C%3CBR%20%2F%3E%22source%22%3A%20%22azuresentinel-eus2.azconn-eus2.p.azurewebsites.net%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDouble%20checked%20both%20the%20subscription%20Id%20and%20the%20resource%20group%20and%20they%20are%20correct.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20seen%20this%20and%20know%20a%20fix%20for%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919684%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426748%22%20target%3D%22_blank%22%3E%40judydixon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20out%20this%20was%20an%20authentication%20problem%20between%20the%20sentinel%20workspace%20and%20the%20logic%20app.%26nbsp%3B%20Got%20past%20that%20point%20now.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-919732%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-919732%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%2C%20it%20is%20not%20documented%20on%20the%20github%20that%20in%20order%20to%20deploy%20the%20playbook%20ARM%20templates%2C%20one%20of%20the%20steps%20is%20you%20MUST%20give%20the%20service%20principal%20you're%20using%20for%20the%20initial%20%22when%20an%20event%20happens%22%20sentinel%20trigger%20the%20necessary%20reader%20permissions%20(at%20minimum)%20to%20the%20log%20analytics%20workspace%20serving%20your%20sentinel%20deployment.%26nbsp%3B%20Seems%20obvious%2C%20sure%2C%20but%20it%20also%20seems%20obvious%20that%20it%20should%20be%20documented%20in%20the%20step%20by%20step%20install%20instructions%20in%20the%20readme....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382626%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20Get%20Incidents%20is%20failing%20with%20BadGateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F429360%22%20target%3D%22_blank%22%3E%40bogglor%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426748%22%20target%3D%22_blank%22%3E%40judydixon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BCan%20you%20share%20the%20permissions%20you%20grant%20to%20the%20app%20for%20this%20to%20work%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Here is how we have the Alert - Get incidents configured.

 

clipboard_image_1.png

 

Here is the output we are getting.  

 

"error": {
"code": 500,
"source": "logic-apis-eastus2.azure-apim.net",
"clientRequestId": "123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"message": "BadGateway",
"innerError": {
"status": 500,
"message": "Invalid subscription id or resource group\r\nclientRequestId: 123ec5c4-c2ba-48e6-b3f0-eec6d4a2ceba",
"source": "azuresentinel-eus2.azconn-eus2.p.azurewebsites.net"
}
}

 

Double checked both the subscription Id and the resource group and they are correct.  

 

Anyone else seen this and know a fix for it?

3 Replies
Highlighted

@judydixon 

Turns out this was an authentication problem between the sentinel workspace and the logic app.  Got past that point now. 

Highlighted

Unfortunately, it is not documented on the github that in order to deploy the playbook ARM templates, one of the steps is you MUST give the service principal you're using for the initial "when an event happens" sentinel trigger the necessary reader permissions (at minimum) to the log analytics workspace serving your sentinel deployment.  Seems obvious, sure, but it also seems obvious that it should be documented in the step by step install instructions in the readme....

Highlighted

@bogglor @judydixon 

 

 Can you share the permissions you grant to the app for this to work please?