Forum Discussion
Azure Sentinel Playbook Errors
Lately we've been having an increasingly number of issues in which our Logic Apps are failing to process resulting in the tickets (this is a SNOW connected Logic App) not being created for said alert.
I can confirm that the incident does exist with the matching IDs found in the Raw input of the "Get-Incidents" but when the playbook is called the error below is generated. This is not occuring for every alert, it is intermittent. When running the playbook manually against the alert that failed to run the playbook, there are no issues.
"message": "The response is not in a JSON format.",
"innerError": "Failed to run playbook - no incident found with the properties you provided"
For reference, we are using the "When a response to an Azure Sentinel alert is triggered" trigger for the playbook.
Is there another issue with the Logic Apps, as I recall there was an issue similar to this last year. Could this be a rate limiting or time out in the data retrieval from the incidents?
- Any reason why this hasn't been answered?
I have same issue
"message": "The response is not in a JSON format.",
"innerError": "Failed to run playbook - no incident found with the properties you provided"
I added in a delay before the get-alert get-incident action as suggested in another similar post.
Can anyone help?
The playbook I am using is the BlockADOnPremUser playbook.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/automatically-disable-on-prem-ad-user-using-a-playbook-triggered/ba-p/2098272- GBushey
Microsoft
Switch your trigger from the Microsoft Sentinel alert trigger to the Microsoft Sentinel incident trigger. It will not fire until the incident is created and all the incident information (or at least most of it) will already be loaded.
