Logic app returns empty array trying list alarms related to Sentinel incident

Copper Contributor

Hi, All

Got an issue. We use automation playbook to enrich our Sentinel incidents. Brief idea is when Sentinel triggers incident we do query using Azure Monitor logs connector alarms from incident, and using query field for each alarm we do query related raw events. Problem is that Azure Monitor logs connector always return empty output array. Like this

{
    "statusCode"200,
    "headers": {
        "Cache-Control""no-store, no-cache",
        "Pragma""no-cache",
        "Transfer-Encoding""chunked",
        "Vary""Accept-Encoding",
        "Set-Cookie""",
        "Strict-Transport-Security""max-age=31536000; includeSubDomains",
        "x-ms-request-id""",
        "X-Content-Type-Options""nosniff",
        "X-Frame-Options""DENY",
        "Timing-Allow-Origin""*",
        "x-ms-apihub-cached-response""false",
        "x-ms-apihub-obo""false",
        "Date""Thu, 14 Sep 2023 04:35:18 GMT",
        "Content-Type""application/json; charset=utf-8",
        "Expires""-1"
    },
    "body": {
        "value": []
    }
}
If we run KQL query from Runs history manually against Sentinel logs - it returns actual data. If we change trigger from "create new incident" to "update incident" - automation returns data. No error messages, this playbook has Sentinel contributor role on requested workspace. 
Actual workflow are - Microsoft Sentinel Incident connector - initialization of couple of variables - Azure Monitor logs connector with custom KQL against 2 tables . Any ideas?
2 Replies
The weirdest thing about is if we place in parallel action Azure Monitor Log Run query and visualize result with identical configuration - it actually returns data.
Puzzle solved. The issue was ingestion delay in log analytics workspace. So then you query immediately after triggers rises - zero result. so we have to insert 3 minutes delay between Sentinel incident connector and Azure Monitor Log query. All works fine after that