Hi, All
Got an issue. We use automation playbook to enrich our Sentinel incidents. Brief idea is when Sentinel triggers incident we do query using Azure Monitor logs connector alarms from incident, and using query field for each alarm we do query related raw events. Problem is that Azure Monitor logs connector always return empty output array. Like this
{
"statusCode": 200,
"headers": {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Transfer-Encoding": "chunked",
"Vary": "Accept-Encoding",
"Set-Cookie": "",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"Timing-Allow-Origin": "*",
"x-ms-apihub-cached-response": "false",
"x-ms-apihub-obo": "false",
"Date": "Thu, 14 Sep 2023 04:35:18 GMT",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1"
},
"body": {
"value": []
}
}
If we run KQL query from Runs history manually against Sentinel logs - it returns actual data. If we change trigger from "create new incident" to "update incident" - automation returns data. No error messages, this playbook has Sentinel contributor role on requested workspace.
Actual workflow are - Microsoft Sentinel Incident connector - initialization of couple of variables - Azure Monitor logs connector with custom KQL against 2 tables . Any ideas?