Alert - Get incident Error when attempting to Auto Remediate Cloud App Security Alerts

Copper Contributor

Following the creation of a LogicApp to auto remediate Cloud App Security alerts, I receive the following error for the Alert - Get incident: 

{
    "statusCode"404,
    "headers": {
        "Access-Control-Allow-Methods""GET, PUT, PATCH, DELETE, POST",
        "Access-Control-Allow-Origin""*",
        "Access-Control-Max-Age""3600",
        "Access-Control-Expose-Headers""*",
        "Date""Thu, 11 Mar 2021 15:35:46 GMT",
        "Content-Length""54",
        "Content-Type""application/json"
    },
    "body": {
        "statusCode"404,
        "message""Resource not found"
    }
}
 
Does anyone have any idea why this might be occurring? I followed the instructions from this Playbook for Azure Sentinel & MCAS integration | by Priscila Viana | Medium Thank you in advance!
4 Replies
Hi

Could you share what you are providing as input in the Get Incident step?

Just double checking: There is an incident for this alert (viewable from the GUI?)
The following is the input:

{
"method": "get",
"path": "/Incidents/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/workspaces/246cb7e4-8c78-4ba8-a725-3db560777362/alerts/",
"host": {
"connection": {
"name": "/subscriptions/9836142a-7fce-4366-a0fb-c969265b1153/resourceGroups/East-Prod-Sentinel-RG/providers/Microsoft.Web/connections/azuresentinel"
}
}
}

And yes!
Can you share the details of that step.
This is my code for my Get-Incident
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},


I don't think you are passing the right parameters within your Get-Incident action