Forum Discussion
Solved
Create an Incident when an email arrives, Downloading attachment and saving in a blob storage
I'm working on a Logic App in Azure Sentinel designed to automatically create incidents whenever an email arrives with a specific subject line. However, I'm encountering an error when trying to create the incident.
code: 400,
Could you please advise on what might be causing this error and how I can troubleshoot it?
Thanks in advance for your assistance!
1 - The e-mail body of the e-mails you receive must have a consistent JSON payload to not have any issue while parsing the email body in the 'parse json' action.
If the JSON payload varies then you may have inconsistencies parsing data, hence invalid parameters creating sentinel incident.
I'd recommend this step is you have not done it yet: copy a sample JSON payload that you get from email body and then in the 'parse json' action use the following option 'Use sample payload to generate the schema' it will generate an accurate schema.
2 - I assume you are entering custom values to fill out the 'create sentinel' action parameters, please make sure that each input is valid
3 - Alternatively, if everything is ok with the JSON payload and the 'create sentinel' action parameters, then this could be a permission issue.
If using Oauth API connection, please check your account permissions on the respective target subscription.Is recommendable to use managed identity when possible, so you can try enabling Managed Identity on the logic app and grant it a Sentinel responder role on the necessary scope then create a Managed Identity API Connection on the logic app designer->sentinel connector.
- Gary just posted a guide on troubleshooting, its a good start to look at your issue https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/debugging-playbooks/ba-p/4165374
- Hi Clive, thanks! I did read that post, I couldn't find an answer to my question though
farlencMicrosoft
1 - The e-mail body of the e-mails you receive must have a consistent JSON payload to not have any issue while parsing the email body in the 'parse json' action.
If the JSON payload varies then you may have inconsistencies parsing data, hence invalid parameters creating sentinel incident.
I'd recommend this step is you have not done it yet: copy a sample JSON payload that you get from email body and then in the 'parse json' action use the following option 'Use sample payload to generate the schema' it will generate an accurate schema.
2 - I assume you are entering custom values to fill out the 'create sentinel' action parameters, please make sure that each input is valid
3 - Alternatively, if everything is ok with the JSON payload and the 'create sentinel' action parameters, then this could be a permission issue.
If using Oauth API connection, please check your account permissions on the respective target subscription.Is recommendable to use managed identity when possible, so you can try enabling Managed Identity on the logic app and grant it a Sentinel responder role on the necessary scope then create a Managed Identity API Connection on the logic app designer->sentinel connector.
