Forum Discussion

cyberHardik's avatar
cyberHardik
Copper Contributor
Feb 26, 2021

Alert-get incident showing resouce not found error in azure sentinel playbook - 404 error

Hi All ,

I have created a playbook in Azure  Sentinel to trigger a ticket in Service Now  for high severity incident in sentinel. Although I have deployed the playbook successfully but when I run trigger it always fail on the Alert - Get incident step with 404 resource not found. Are there any special permissions needed ?
What am i missing? Any info from someone that already deploy it ?

Here is the output at Alert-get incident connector :

{
    "statusCode"404,
    "headers": {
        "Access-Control-Allow-Methods""GET, PUT, PATCH, DELETE, POST",
        "Access-Control-Allow-Origin""*",
        "Access-Control-Max-Age""3600",
        "Access-Control-Expose-Headers""*",
        "Date""Tue, 23 Feb 2021 19:05:39 GMT",
        "Content-Length""54",
        "Content-Type""application/json"
    },
    "body": {
        "statusCode"404,
        "message""Resource not found"
    }
}
I have contributor role in sentinel. Below is the snap of playbook created to trigger bidirectional sync to create and update incident in service now.
 

 

Can someone help me to fix this issue ?


 

 
    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Mar 11, 2021
      Can you share the input of the get incident step?
      Can you verify in the GUI that the alert is part of an incident? (through the incidents tab)
      • cyberHardik's avatar
        cyberHardik
        Copper Contributor
        Mar 19, 2021
        Well, I did checked the input and it was only the path through which it is trying to get incident.

        below is the exact input :
        {
        "connection": {
        "name": "/subscriptions/7f40b492-8297-4ke2-9b9f-4g416e3p6e3f/resourceGroups/PAC-PUC-KSG-PRD-SIEM/providers/Microsoft.Web/connections/azuresentinel-1"
        }
        }
        Also i verified that alert was part of incident.
  • landau07's avatar
    landau07
    Icon for Microsoft rankMicrosoft
    Mar 18, 2021
    Hi cyberHardik,

    This is caused by a small race condition at the time the incident is being ingested.

    1. This should be fixed as we added retry mechanism to this action.
    2. Another thing you can do is to add a small delay action (1-3 seconds should be more than enough)
    3. You can use the new Incident Automation feature in Azure Sentinel to run playbooks based on Incident creation trigger and not alert creation - This is the recommended solution

    Yaron
    • cyberHardik's avatar
      cyberHardik
      Copper Contributor
      Mar 19, 2021
      Thanx alot for your reply. Could you please help me how I can add delay action.

      I did tried the recommended solution but when i saved .My logic app got crashed and now I have to built it again and run to check whether it is going to successful or not.
      • landau07's avatar
        landau07
        Icon for Microsoft rankMicrosoft
        Mar 21, 2021

        cyberHardik 

         

        There is a build in delay action, look for it in the search bar in the actions selector.

         

        But again, I highly recommend you to check your playbook and make it run as you expected so you will be able to run in as a result for Incidnet automation (which is currently in gradual released and will be fully released in a week or two)

         

        ~Yaron 🙂

         

         

Resources