Azure Sentinel Logic App Action Incident ID

Valued Contributor

I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID.


Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions?  I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.

26 Replies

@Gary Bushey 


We have a "get incident" action that will get the incident that can be used.

 Thanks for that information.  Any idea why it would throw a

"Key 'Token' not found in connection profile"  


@Gary Bushey 

I havent seen that one before.  maybe the connection needs to be re-authenticated.  Go to the connection object in the resource group.  Click Edit API blade.  Click Authenticate.  Click Save after authenticating.

Getting closer. Didn't get that error but now I got: { "error": { "code": 500, "source": "", "clientRequestId": "56979c89-eb27-42e6-9506-8e208cb4cb67", "message": "BadGateway", "innerError": { "message": "We couldn’t find incidents related to the specified properties.\r\nclientRequestId: 56979c89-eb27-42e6-9506-8e208cb4cb67", "status": 500, "source": "" } } }

This is my configuration.  Am I using the wrong variable for "Specify Alert Id"?




best response confirmed by Gary Bushey (Valued Contributor)

@Gary Bushey 

You need to use System Alert ID

   That did the trick.  I must have looked at the list of possible variables a dozen time and missed it every time!   Thanks for all of your help!

@Gary Bushey 

Awesome!  glad a could help.

if you have cool playbooks feel free to help contribute to the github repo!

@Nicholas DiCola (SECURITY JEDI) A little more weirdness.  I can get my Incident, post a comment back to my Incident, Generate a Service Now Incident, and then post a message to Teams (in that order) just fine.   However, if I try to post a comment back to my incident AFTER generating a ServiceNow incident I get the following error message (which talks about changing settings in a webapp that I certainly don't have access to).  Any ideas?


    "error": {
        "message""The response is not in a JSON format.",
        "innerError""<!DOCTYPE html>\r\n<html>\r\n    <head>\r\n        <title>Runtime Error</title>\r\n        <meta name=\"viewport\" content=\"width=device-width\" />\r\n        <style>\r\n         body {font-family:\"Verdana\";font-weight:normal;font-size: .7em;color:black;} \r\n         p {font-family:\"Verdana\";font-weight:normal;color:black;margin-top: -5px}\r\n         b {font-family:\"Verdana\";font-weight:bold;color:black;margin-top: -5px}\r\n         H1 { font-family:\"Verdana\";font-weight:normal;font-size:18pt;color:red }\r\n         H2 { font-family:\"Verdana\";font-weight:normal;font-size:14pt;color:maroon }\r\n         pre {font-family:\"Consolas\",\"Lucida Console\",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}\r\n         .marker {font-weight: bold; color: black;text-decoration: none;}\r\n         .version {color: gray;}\r\n         .error {margin-bottom: 10px;}\r\n         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }\r\n         @media screen and (max-width: 639px) {\r\n          pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }\r\n         }\r\n         @media screen and (max-width: 479px) {\r\n          pre { width: 280px; }\r\n         }\r\n        </style>\r\n    </head>\r\n\r\n    <body bgcolor=\"white\">\r\n\r\n            <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n\r\n            <h2> <i>Runtime Error</i> </h2></span>\r\n\r\n            <font face=\"Arial, Helvetica, Geneva, SunSans-Regular, sans-serif \">\r\n\r\n            <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.\r\n            <br><br>\r\n\r\n            <b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a &lt;customErrors&gt; tag within a &quot;web.config&quot; configuration file located in the root directory of the current web application. This &lt;customErrors&gt; tag should then have its &quot;mode&quot; attribute set to &quot;Off&quot;.<br><br>\r\n\r\n            <table width=100% bgcolor=\"#ffffcc\">\r\n               <tr>\r\n                  <td>\r\n                      <code><pre>\r\n\r\n&lt;!-- Web.Config Configuration File --&gt;\r\n\r\n&lt;configuration&gt;\r\n    &lt;system.web&gt;\r\n        &lt;customErrors mode=&quot;Off&quot;/&gt;\r\n    &lt;/system.web&gt;\r\n&lt;/configuration&gt;</pre></code>\r\n\r\n                  </td>\r\n               </tr>\r\n            </table>\r\n\r\n            <br>\r\n\r\n            <b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the &quot;defaultRedirect&quot; attribute of the application&#39;s &lt;customErrors&gt; configuration tag to point to a custom error page URL.<br><br>\r\n\r\n            <table width=100% bgcolor=\"#ffffcc\">\r\n               <tr>\r\n                  <td>\r\n                      <code><pre>\r\n\r\n&lt;!-- Web.Config Configuration File --&gt;\r\n\r\n&lt;configuration&gt;\r\n    &lt;system.web&gt;\r\n        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;\r\n    &lt;/system.web&gt;\r\n&lt;/configuration&gt;</pre></code>\r\n\r\n                  </td>\r\n               </tr>\r\n            </table>\r\n\r\n            <br>\r\n\r\n    </body>\r\n</html>\r\n"

@Gary Bushey  sent you a PM.

@Gary Bushey   Are you able to post a screencap of what your add comment blade looks like?  still can't get mine to work.

@Gary Busheydid you ever get this to work,  can get it to write static comments but that's it.

@ryanksmith I have not tried it recently but when I checked last time MS was working on a fix.

@ryanksmith I just tried this again and I was NOT able to get it to work yet.

Any update of the topic ? I just had the same HTTP 400 mentionned above


Here is my Playbook

  1. Sentinel input
  2. Mail approval
    1. Approved: post message on Teams --> It works
    2. Refused: close the incident --> Same error as @Gary Bushey

@ClementBonnet I have pinged MS about it last week but have not heard anything back from them.

I just tried this again this morning and it worked!  I did completely get rid of the actions and started over but it worked :)

@Gary BusheyTried not luck, are you able to post your work flow, will tr y a few others once I get back into the office on Tuesday

@ryanksmith The image shows my very bsaic playbook