Forum Discussion
Solved
Azure Sentinel Logic App Action Incident ID
I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID.
Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions? I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.
You need to use System Alert ID
- Getting closer. Didn't get that error but now I got: { "error": { "code": 500, "source": "logic-apis-eastus.azure-apim.net", "clientRequestId": "56979c89-eb27-42e6-9506-8e208cb4cb67", "message": "BadGateway", "innerError": { "message": "We couldn’t find incidents related to the specified properties.\r\nclientRequestId: 56979c89-eb27-42e6-9506-8e208cb4cb67", "status": 500, "source": "azuresentinel-eus.azconn-eus.p.azurewebsites.net" } } }
This is my configuration. Am I using the wrong variable for "Specify Alert Id"?
- Nicholas DiCola (SECURITY JEDI)
Microsoft
You need to use System Alert ID
- Nicholas DiCola (SECURITY JEDI)
Thanks for that information. Any idea why it would throw a
"Key 'Token' not found in connection profile"
- Nicholas DiCola (SECURITY JEDI)
I havent seen that one before. maybe the connection needs to be re-authenticated. Go to the connection object in the resource group. Click Edit API blade. Click Authenticate. Click Save after authenticating.
