Azure Sentinel Playbook Errors

%3CLINGO-SUB%20id%3D%22lingo-sub-2640520%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Playbook%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2640520%22%20slang%3D%22en-US%22%3E%3CP%3ELately%20we've%20been%20having%20an%20increasingly%20number%20of%20issues%20in%20which%20our%20Logic%20Apps%20are%20failing%20to%20process%20resulting%20in%20the%20tickets%20(this%20is%20a%20SNOW%20connected%20Logic%20App)%20not%20being%20created%20for%20said%20alert.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20confirm%20that%20the%20incident%20does%20exist%20with%20the%20matching%20IDs%20found%20in%20the%20Raw%20input%20of%20the%20%22Get-Incidents%22%20but%20when%20the%20playbook%20is%20called%20the%20error%20below%20is%20generated.%20This%20is%20not%20occuring%20for%20every%20alert%2C%20it%20is%20intermittent.%20When%20running%20the%20playbook%20manually%20against%20the%20alert%20that%20failed%20to%20run%20the%20playbook%2C%20there%20are%20no%20issues.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%22message%22%3A%20%22The%20response%20is%20not%20in%20a%20JSON%20format.%22%2C%0A%22innerError%22%3A%20%22Failed%20to%20run%20playbook%20-%20no%20incident%20found%20with%20the%20properties%20you%20provided%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3CBR%20%2F%3EFor%20reference%2C%20we%20are%20using%20the%20%22When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20trigger%20for%20the%20playbook.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20another%20issue%20with%20the%20Logic%20Apps%2C%20as%20I%20recall%20there%20was%20an%20issue%20similar%20to%20this%20last%20year.%20Could%20this%20be%20a%20rate%20limiting%20or%20time%20out%20in%20the%20data%20retrieval%20from%20the%20incidents%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Lately we've been having an increasingly number of issues in which our Logic Apps are failing to process resulting in the tickets (this is a SNOW connected Logic App) not being created for said alert.

I can confirm that the incident does exist with the matching IDs found in the Raw input of the "Get-Incidents" but when the playbook is called the error below is generated. This is not occuring for every alert, it is intermittent. When running the playbook manually against the alert that failed to run the playbook, there are no issues.

"message": "The response is not in a JSON format.",
"innerError": "Failed to run playbook - no incident found with the properties you provided"

 
For reference, we are using the "When a response to an Azure Sentinel alert is triggered" trigger for the playbook.

Is there another issue with the Logic Apps, as I recall there was an issue similar to this last year. Could this be a rate limiting or time out in the data retrieval from the incidents?

0 Replies