Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Add Comment to incident fails with error 500

Copper Contributor


I've created a playbook to create incident in our ticketing system which then returns back ticketing system incident ID which I want to add as comment to Sentinel Incident. However it fails with error 500 and no explanation.

Here's an example workflow, where I have removed incident creation in ticketing system, however adding comment still fails. On another hand, using same connections adding tag/label to incident works fine.


Here's an error:

"error": {
"code": 500,
"source": "",
"clientRequestId": "ea454747-d040-4417-88c8-841d4cc5dd87",
"message": "BadGateway",
"innerError": {
"debugInfo": "clientRequestId: ea454747-d040-4417-88c8-841d4cc5dd87"
LogicApp with playbook has been registered in Azure AD, Azure Sentinel and Log Analytics Contributor roles have been added.
Service principal for API connection to Azure Sentinel has been created and Azure Sentinel and Log Analytics Contributor roles have been added.
I would appreciate any help. Thanks!
1 Reply

@GunarsL I think that error can be resolved by re-authenticating your Sentinel connector however it will then throw another error about not returning proper JSON which Microsoft is working on resolving.