Sep 23 2019 07:47 AM
I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID.
Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions? I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.
Nov 10 2019 06:59 PM
Thanks @Gary Bushey Still broke if I take the body from an API pull (which works) will call premier support this week now that its GA
Nov 21 2019 03:40 AM
@ryanksmith @Gary Bushey @ClémentB This only works for alert rules that are query based, because you can attach a playbook to them on the Automated Response tab. But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? I couldn't find a way other than a logic app which gets all newly created security alerts from the Microsoft Graph than takes the Alert ID and checks if an Azure Sentinel incident exists with that alert ID, and if it does continues with actions like log a SNOW ticket and send an email notification. But it's messy and doesn't really work as expected (sometimes it generates duplicate incidents). Anyway if anyone has any idea on how you could, at the moment and with the current functionalities, create a logic app which gets all newly created Azure Sentinel incidents and that you could set to run automatically so you could also get the Microsoft Security rules incidents, please kindly share. Hope the above makes sense.
Dec 27 2019 05:49 AM
Dec 27 2019 05:52 AM
@OskarEnfo Yes, it is still dynamic and it is still working (just checked).
Dec 27 2019 07:00 AM
Jan 29 2020 12:44 PM
Hi @Gary Bushey and everyone, I did pretty much the same thing but every time I get the same error :
BadRequest.
OUTPUTS
{
"error": {
"code": 400,
"source": "logic-apis-canadacentral.azure-apim.net",
"clientRequestId": "888590e9-f530-4bff-a879-c47f8c04a631",
"message": "The response is not in a JSON format.",
"innerError": "Invalid subscription id or resource group"
}
}
The subscription ID I used is the Azure Sentinel dynamic content "Subscription ID" so how could it be invalid? Any idea on how I could make my "Get Incident" work?
Thanks in advance for your help.
Jan 29 2020 12:48 PM
@simlad I would try hard-coding the values for your subscription (GUID) and resource group name to see if it works that way. If it does then you are getting bad values from the trigger and that will be the next thing to look at.
You could also try to output all the values from the trigger into an Email or Teams message to see what you are getting.