Azure Sentinel Logic App write back to comment

%3CLINGO-SUB%20id%3D%22lingo-sub-854900%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854900%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20write%20the%20output%20of%20a%20HTTP%20GET%20(Which%20works)%20to%20a%20comment%26nbsp%3B%20in%20Sentinel%2C%20from%20my%20review%20it%20appears%20as%20if%20the%20ID's%20and%20Groups%20are%20set%20correctly%20but%20I%20am%20getting%20a%20Bad%20Request.%26nbsp%3B%20Has%20anyone%20had%20any%20success%20writing%20back%20to%20comments%20(yes%20I%20know%20this%20is%20preview)%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20610px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F131737i20653CF689B591FC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-09-13%2010_28_11-Window.png%22%20title%3D%222019-09-13%2010_28_11-Window.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-857803%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-857803%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20not%20get%20it%20to%20work%20but%20I%20got%20a%20401%20error%20code%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-873131%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873131%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20not%20get%20it%20to%20work%20but%20I%20got%20a%20401%20error%20code%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3EDid%20you%20do%20a%20step%20before%20to%20%22get%20incident%22%3F%26nbsp%3B%20you%20need%20to%20do%20that%20to%20get%20the%20incident%20id.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877351%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877351%22%20slang%3D%22en-US%22%3EIf%20you%20are%20still%20having%20issues%2C%20look%20at%20my%20thread%20on%20writing%20comments.%20Nicholas%20gave%20me%20all%20the%20steps%20needed%20to%20get%20it%20to%20work%20there.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-878252%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-878252%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BYes%20checked%20that%2C%20and%20ensured%20I%20have%20the%20Get%20Incident%20Blade%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3BWondering%20if%20its%20an%20issue%20with%20my%26nbsp%3B%20%22For%20Each%22%26nbsp%3B%20will%20play%20with%20the%20order%20and%20see%20if%20that%20fixes%20it%20will%20post%20if%20successful%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-884951%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-884951%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20796px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134841i60CFFD90F1E2EA87%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-09-30%2020_15_33-Greenshot%20image%20editor.png%22%20title%3D%222019-09-30%2020_15_33-Greenshot%20image%20editor.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20moved%20the%20get%20Incident%20blade%20around%2C%20still%20get%20the%20same%20400%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Fstrict.dtd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Fstrict.dtd%3C%2FA%3E%22%26gt%3B%3CBR%20%2F%3E%3CTITLE%3EBad%20Request%3C%2FTITLE%3E%3CBR%20%2F%3E%26lt%3Bmeta%20http-equiv%3D%22%22Content-Type%22%22%20content%3D%22%22text%2Fhtml%3B%22%20charset%3D%22us-ascii%22%22%20%2F%26gt%3B%3CBR%20%2F%3E%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%20id%3D%22toc-hId-1821101479%22%3EBad%20Request%20-%20Invalid%20URL%3C%2FH2%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3CP%3EHTTP%20Error%20400.%20The%20request%20URL%20is%20invalid.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-885350%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-885350%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3Bcan%20you%20show%20your%20settings%20for%20%22Add%20comment%20to%20incident%22%3F%26nbsp%3B%20%26nbsp%3BBTW%2C%20I%20get%20an%20error%20on%20this%20action%20after%20creating%20a%20Service%20Now%20ticket%20so%20I%20think%20there%20is%20definitely%20some%20sort%20of%20but%20in%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-886086%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-886086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20-%20yes%20here%20is%20how%20I%20have%20it%20setup%3A%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20581px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134937i0D719FD76BCB22EB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-10-01%2007_46_17-Microsoft%20Edge.png%22%20title%3D%222019-10-01%2007_46_17-Microsoft%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887220%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BI'm%20beginning%20to%20think%20there%20is%20a%20bug%20where%20anything%20that%20is%20not%20static%20text%20in%20the%20%22Specify%20incident%20comment%22%20throws%20an%20error.%26nbsp%3B%20%26nbsp%3BPlan%20on%20looking%20into%20this%20a%20bit%20more%20tomorrow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887301%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20-%20Looks%20like%20our%20errors%20are%20exactly%20the%20same%2C%20your%20bang%20on%2C%20static%20works%20fine%20something%20about%20the%20input%20throws%20it%20off%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134995i307A1A4842265214%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-10-01%2014_07_23-Microsoft%20Edge.png%22%20title%3D%222019-10-01%2014_07_23-Microsoft%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-890854%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20Logic%20App%20write%20back%20to%20comment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BFYI%2C%20I%20am%20working%20(%20or%20at%20least%20I%20provided%20them%20with%20my%20test%20cases)%20with%20someone%20from%20MS%20in%20regards%20to%20this%20issue.%26nbsp%3B%20What%20I%20have%20found%20is%20that%20if%20you%20use%20the%20comment%20feature%20without%20any%20dynamic%20content%20it%20works%20fine.%26nbsp%3B%20Once%20you%20have%20it%20use%20dynamic%20content%20it%20stops%20working%20and%20the%20only%20way%20to%20get%20it%20back%20is%20to%20delete%20the%20entire%20logic%20app%20and%20recreate%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20updates%20as%20I%20get%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All,

 

I am trying to write the output of a HTTP GET (Which works) to a comment  in Sentinel, from my review it appears as if the ID's and Groups are set correctly but I am getting a Bad Request.  Has anyone had any success writing back to comments (yes I know this is preview) 

 

2019-09-13 10_28_11-Window.png

10 Replies
Highlighted

I did not get it to work but I got a 401 error code

Highlighted

@ryanksmith 

Hi

Did you do a step before to "get incident"?  you need to do that to get the incident id.

Highlighted
If you are still having issues, look at my thread on writing comments. Nicholas gave me all the steps needed to get it to work there.
Highlighted

Thanks, @Gary Bushey   Yes checked that, and ensured I have the Get Incident Blade as per @Nicholas DiCola (SECURITY JEDI) Wondering if its an issue with my  "For Each"  will play with the order and see if that fixes it will post if successful

Highlighted

2019-09-30 20_15_33-Greenshot image editor.png

 

Have moved the get Incident blade around, still get the same 400 error

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid URL</h2>
<hr><p>HTTP Error 400. The request URL is invalid.</p>
</BODY></HTML>

Highlighted

@ryanksmith can you show your settings for "Add comment to incident"?   BTW, I get an error on this action after creating a Service Now ticket so I think there is definitely some sort of but in there.

Highlighted

@Gary Bushey  - yes here is how I have it setup:  2019-10-01 07_46_17-Microsoft Edge.png

Highlighted

@ryanksmith I'm beginning to think there is a bug where anything that is not static text in the "Specify incident comment" throws an error.   Plan on looking into this a bit more tomorrow.

Highlighted

@Gary Bushey  - Looks like our errors are exactly the same, your bang on, static works fine something about the input throws it off 

2019-10-01 14_07_23-Microsoft Edge.png

Highlighted

@ryanksmith FYI, I am working ( or at least I provided them with my test cases) with someone from MS in regards to this issue.  What I have found is that if you use the comment feature without any dynamic content it works fine.  Once you have it use dynamic content it stops working and the only way to get it back is to delete the entire logic app and recreate it.

 

More updates as I get them