![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 12%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,839 questions
The ARM ID is the fully qualified ID starting with forward slash subscription:
/subscriptions/d1d8779d-38d7-4f06-91db-XXXXXXXXXXXX/resourceGroups/soc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/Incidents/8524bc04-5916-c007-13a0-d53048ebfb27
You can use a parser in your logic app to split the ARM ID from the URL. If you are doing a KQL query you can parse within your query to output the ID. You can construct the ARM ID with variables for the subscription, resource group, and workspace names.
You might also try experimenting with the different Sentinel logic app activities. There is a get-incident and a get-alert. One of them automatically parses out the ARM ID. I just don't recall which at the moment. This is by far the easiest option. If I recall a alert-based trigger is often followed with a get-incident activity to return the ARM ID for use in later requests.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 61%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)