Closing Sentinel Incident with logic App

%3CLINGO-SUB%20id%3D%22lingo-sub-1725974%22%20slang%3D%22en-US%22%3ERe%3A%20Closing%20Sentinel%20Incident%20with%20lolgic%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1725974%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F794254%22%20target%3D%22_blank%22%3E%40descof%3C%2FA%3E%26nbsp%3BI%20wonder%20if%20there%20is%20something%20else%20going%20on.%26nbsp%3B%20I%20just%20got%20an%20error%20adding%20a%20comment%20to%20an%20incident%20which%20I%20have%20done%20numerous%20times%20before.%26nbsp%3B%20It%20was%20saying%20the%20subscription%20or%20the%20resource%20group%20was%20wrong%20but%20they%20are%20the%20exact%20same%20entries%20I%20have%20been%20using.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1727755%22%20slang%3D%22en-US%22%3ERe%3A%20Closing%20Sentinel%20Incident%20with%20lolgic%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727755%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3EWe%20are%20also%20thinking%20about%20a%20problem%20while%20creating%20the%20incident%20via%20the%20API.%20We%20are%20looking%20if%20this%20is%20an%20internal%20issue%20or%20if%20we%20put%20the%20%3CSTRONG%3EstartTimeUtc%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EendtimeUtc%3C%2FSTRONG%3E%20in%20the%20wrong%20format..%3C%2FP%3E%3CP%3Eedit%3A%20we%20tried%20to%20force%20the%20%3CSTRONG%3EstartTimeUtc%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EendtimeUtc%3C%2FSTRONG%3E%20but%20apparently%20Sentinel%20overwrite%20the%20values%20with%20its%20own.%20So%20we%20cant%20close%20a%20custom%20incident%20created%20with%20the%20api%20with%20logic%20app%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1724806%22%20slang%3D%22en-US%22%3EClosing%20Sentinel%20Incident%20with%20logic%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1724806%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20automate%20the%20closure%20of%20Sentinel%20Incident%20created%20via%20the%20API%20(no%20alert%20id%20related).%3C%2FP%3E%3CP%3EI%20have%20configured%20a%20logic%20app%20with%20an%20http%20event%20received%20task%20thats%20listen%20any%20API%26nbsp%3B%20request%20from%20a%20webhook%20server%2C%20and%20then%2C%20close%20the%20incident.%3C%2FP%3E%3CP%3EBut%20I%20got%20an%20error%20when%20it%20comes%20to%20change%20the%20incident%20status%20in%20the%20logic%20app%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22BadRequest%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22'EndTimeUtc'%26nbsp%3Bmust%26nbsp%3Bbe%26nbsp%3Bof%26nbsp%3Bkind%26nbsp%3BUtc%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22debugInfo%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22clientRequestId%3A%26nbsp%3Be01cd4d3-1bac-4cc5-b548-43d948514a53%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture%20d%E2%80%99e%CC%81cran%202020-09-29%20a%CC%80%2016.58.54.png%22%20style%3D%22width%3A%20664px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222828iF5D751A51633EF5A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Capture%20d%E2%80%99e%CC%81cran%202020-09-29%20a%CC%80%2016.58.54.png%22%20alt%3D%22Capture%20d%E2%80%99e%CC%81cran%202020-09-29%20a%CC%80%2016.58.54.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThe%20incident%20with%20the%20number%2079%20is%20actually%20opened.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWhat%20did%20I%20miss%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1724806%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi,

I am trying to automate the closure of Sentinel Incident created via the API (no alert id related).

I have configured a logic app with an http event received task thats listen any API  request from a webhook server, and then, close the incident.

But I got an error when it comes to change the incident status in the logic app:

{
  "error": {
    "code""BadRequest",
    "message""'EndTimeUtc' must be of kind Utc"
  },
  "debugInfo""clientRequestId: e01cd4d3-1bac-4cc5-b548-43d948514a53"
}
 
Capture d’écran 2020-09-29 à 16.58.54.png
 
The incident with the number 79 is actually opened.
What did I miss?
2 Replies

@descof I wonder if there is something else going on.  I just got an error adding a comment to an incident which I have done numerous times before.  It was saying the subscription or the resource group was wrong but they are the exact same entries I have been using.

@Gary BusheyWe are also thinking about a problem while creating the incident via the API. We are looking if this is an internal issue or if we put the startTimeUtc, endtimeUtc in the wrong format..

edit: we tried to force the startTimeUtc, endtimeUtc but apparently Sentinel overwrite the values with its own. So we cant close a custom incident created with the api with logic app :(