SOLVED

Azure Sentinel playbook Get-incident fails with bad gateway

%3CLINGO-SUB%20id%3D%22lingo-sub-1284277%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284277%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20how%20my%20Get-incident%20looks%20like%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mircasa_1-1586167198087.png%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182331iBA40931821B5A05E%2Fimage-dimensions%2F506x205%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22205%22%20title%3D%22mircasa_1-1586167198087.png%22%20alt%3D%22mircasa_1-1586167198087.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAnd%20when%20i%20try%20to%20run%20it%20i%20get%20this%20error%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E400%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22source%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22logic-apis-westeurope.azure-apim.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22clientRequestId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22b713a36a-de7f-42e0-b384-78bda5d5228a%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22The%26nbsp%3Bresponse%26nbsp%3Bis%26nbsp%3Bnot%26nbsp%3Bin%26nbsp%3Ba%26nbsp%3BJSON%26nbsp%3Bformat.%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22innerError%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Invalid%26nbsp%3Bsubscription%26nbsp%3Bid%26nbsp%3Bor%26nbsp%3Bresource%26nbsp%3Bgroup%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20write%20subscription%20id%20and%20resource%20group%20manual%2C%20no%20difference.%3C%2FP%3E%3CP%3Eanyone%20have%20any%20fix%20for%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284289%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284289%22%20slang%3D%22en-US%22%3EHave%20you%20double%20checked%20that%20the%20subscription%20ID%20and%20resource%20group%20is%20correctly%20filled%20in%20when%20you%20check%20the%20run%20history%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284308%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284308%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20checked%20it%3C%2FP%3E%3CP%3EI%20also%20tried%20to%20put%20them%20in%20manually%2C%20still%20the%20same%20result%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284322%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284322%22%20slang%3D%22en-US%22%3EDoes%20the%20account%20you%20connected%20with%20have%20permissions%20on%20the%20Sentinel%20instance%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284348%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eim%20asuming%20it%20has.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20a%20service%20account%20which%20was%20made%20for%20azure%20sentinel.%3C%2FP%3E%3CP%3Ebut%20i%20didnt%20create%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20i%20can%20i%20check%20if%20it%20has%20the%20correct%20permissions%3F%3C%2FP%3E%3CP%3Eif%20its%20in%20Azure%20ad%20in%20Assigned%20Roles%2C%20it%20has%20Global%20Administrator%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284382%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284382%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENevermind%2C%20found%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20it%20got%20solved%20after%20i%20added%20the%20sentinel%20role%20to%20the%20User.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20you%20help!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284395%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284395%22%20slang%3D%22en-US%22%3EGlad%20you%20found%20it%3CBR%20%2F%3EBTW%3A%20I%20would%20advise%20against%20a%20service%20account.%3CBR%20%2F%3EBut%20instead%20use%20a%20service%20principal%20to%20authenticate%20against%20sentinel%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284414%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20playbook%20Get-incident%20fails%20with%20bad%20gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20look%20into%20that%2C%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

This is how my Get-incident looks like 

mircasa_1-1586167198087.png

And when i try to run it i get this error:

{
  "error": {
    "code"400,
    "source""logic-apis-westeurope.azure-apim.net",
    "clientRequestId""b713a36a-de7f-42e0-b384-78bda5d5228a",
    "message""The response is not in a JSON format.",
    "innerError""Invalid subscription id or resource group"
  }
}

 

I have tried to write subscription id and resource group manual, no difference.

anyone have any fix for this?

 

 

7 Replies
Have you double checked that the subscription ID and resource group is correctly filled in when you check the run history?

@Thijs Lecomte 

Yes, checked it

I also tried to put them in manually, still the same result

Best Response confirmed by mircasa (Occasional Contributor)
Solution
Does the account you connected with have permissions on the Sentinel instance?

@Thijs Lecomte 

im asuming it has.

 

Its a service account which was made for azure sentinel.

but i didnt create it.

 

Where i can i check if it has the correct permissions?

if its in Azure ad in Assigned Roles, it has Global Administrator

@Thijs Lecomte 

 

Nevermind, found it.

 

I think it got solved after i added the sentinel role to the User.

 

Thank you for you help! :)

Glad you found it
BTW: I would advise against a service account.
But instead use a service principal to authenticate against sentinel

@Thijs Lecomte 

 

I will look into that,

Thanks.