Azure Sentinel Logic App write back to comment

Copper Contributor

Hi All,


I am trying to write the output of a HTTP GET (Which works) to a comment  in Sentinel, from my review it appears as if the ID's and Groups are set correctly but I am getting a Bad Request.  Has anyone had any success writing back to comments (yes I know this is preview) 


2019-09-13 10_28_11-Window.png

10 Replies

I did not get it to work but I got a 401 error code



Did you do a step before to "get incident"?  you need to do that to get the incident id.

If you are still having issues, look at my thread on writing comments. Nicholas gave me all the steps needed to get it to work there.

Thanks, @Gary Bushey   Yes checked that, and ensured I have the Get Incident Blade as per @Nicholas DiCola (SECURITY JEDI) Wondering if its an issue with my  "For Each"  will play with the order and see if that fixes it will post if successful

2019-09-30 20_15_33-Greenshot image editor.png


Have moved the get Incident blade around, still get the same 400 error


<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid URL</h2>
<hr><p>HTTP Error 400. The request URL is invalid.</p>

@ryanksmith can you show your settings for "Add comment to incident"?   BTW, I get an error on this action after creating a Service Now ticket so I think there is definitely some sort of but in there.

@Gary Bushey  - yes here is how I have it setup:  2019-10-01 07_46_17-Microsoft Edge.png

@ryanksmith I'm beginning to think there is a bug where anything that is not static text in the "Specify incident comment" throws an error.   Plan on looking into this a bit more tomorrow.

@Gary Bushey  - Looks like our errors are exactly the same, your bang on, static works fine something about the input throws it off 

2019-10-01 14_07_23-Microsoft Edge.png

@ryanksmith FYI, I am working ( or at least I provided them with my test cases) with someone from MS in regards to this issue.  What I have found is that if you use the comment feature without any dynamic content it works fine.  Once you have it use dynamic content it stops working and the only way to get it back is to delete the entire logic app and recreate it.


More updates as I get them