Alert-get incident showing resouce not found error in azure sentinel playbook - 404 error

Copper Contributor

Hi All ,

I have created a playbook in Azure  Sentinel to trigger a ticket in Service Now  for high severity incident in sentinel. Although I have deployed the playbook successfully but when I run trigger it always fail on the Alert - Get incident step with 404 resource not found. Are there any special permissions needed ?
What am i missing? Any info from someone that already deploy it ?

Here is the output at Alert-get incident connector :

{
    "statusCode"404,
    "headers": {
        "Access-Control-Allow-Methods""GET, PUT, PATCH, DELETE, POST",
        "Access-Control-Allow-Origin""*",
        "Access-Control-Max-Age""3600",
        "Access-Control-Expose-Headers""*",
        "Date""Tue, 23 Feb 2021 19:05:39 GMT",
        "Content-Length""54",
        "Content-Type""application/json"
    },
    "body": {
        "statusCode"404,
        "message""Resource not found"
    }
}
I have contributor role in sentinel. Below is the snap of playbook created to trigger bidirectional sync to create and update incident in service now.
 
cyberHardik_1-1614304807181.png

 

Can someone help me to fix this issue ?


 

 
8 Replies
Can you share the input of the get incident step?
Can you verify in the GUI that the alert is part of an incident? (through the incidents tab)
Did you find a solution to this? I’m also noticing this error.
Hi cyberHardik,

This is caused by a small race condition at the time the incident is being ingested.

1. This should be fixed as we added retry mechanism to this action.
2. Another thing you can do is to add a small delay action (1-3 seconds should be more than enough)
3. You can use the new Incident Automation feature in Azure Sentinel to run playbooks based on Incident creation trigger and not alert creation - This is the recommended solution

Yaron
Well, I did checked the input and it was only the path through which it is trying to get incident.

below is the exact input :
{
"connection": {
"name": "/subscriptions/7f40b492-8297-4ke2-9b9f-4g416e3p6e3f/resourceGroups/PAC-PUC-KSG-PRD-SIEM/providers/Microsoft.Web/connections/azuresentinel-1"
}
}
Also i verified that alert was part of incident.
Thanx alot for your reply. Could you please help me how I can add delay action.

I did tried the recommended solution but when i saved .My logic app got crashed and now I have to built it again and run to check whether it is going to successful or not.

@cyberHardik 

 

There is a build in delay action, look for it in the search bar in the actions selector.

landau07_0-1616317226464.png

 

But again, I highly recommend you to check your playbook and make it run as you expected so you will be able to run in as a result for Incidnet automation (which is currently in gradual released and will be fully released in a week or two)

 

~Yaron 🙂