LogicApp question. I am getting the following error

Kentucky Mike 51 Reputation points
2022-09-17T16:02:03.483+00:00

'Create_Record' is skipped: dependant action 'Rule_ID' completed with status 'Skipped' and code 'NotSpecified'."}

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,151 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,141 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Kentucky Mike 51 Reputation points
    2022-09-18T18:17:40.957+00:00

    There are two problems going on. First is that it doesn't happen with ALL of the incidents I try to run it with, only some of them. Can't see a difference between the ones that will run and the ones that will not.

    242295-image.png

    That is the screenshot of the "Error"
    242282-image.png

    Here's what I mean by it works sometimes. This was the run prior to the above skipped one:
    242311-image.png

    In anticipation of asking for the code, it's pasted below:
    "definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
    "actions": {
    "Alert_System_ID": {
    "actions": {
    "Incident_Comments": {
    "actions": {
    "Create_Record": {
    "inputs": {
    "body": {
    "sys_created_by": "@items('Alert_System_ID')?['properties']?['systemAlertId']",
    "u_additional_info": "Additional Information Comments",
    "u_alert_rule": "Test 49",
    "u_company": "SentinelSentinelLabs @{triggerBody()?['workspaceInfo']?['WorkspaceName']}",
    "u_compliance_library": "Compliance Library",
    "u_cs1": "Incident Generated Time: @{triggerBody()?['object']?['properties']?['createdTimeUtc']}",
    "u_cs2": "Playbook Name ProSOCLabs-SNOW-EVT",
    "u_cs3": "Alert Time Generated @{items('Alert_System_ID')?['properties']?['timeGenerated']}",
    "u_cs4": "Query Start Time: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query Start Time UTC']}",
    "u_cs5": "Query End Time: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query End Time UTC']}",
    "u_cs6": "Comments: @{items('Incident_Comments')}",
    "u_description": "@triggerBody()?['object']?['properties']?['description']",
    "u_destination_address": "1.2.3.4",
    "u_destination_host_name": "DestinationHost",
    "u_destination_user_name": "DestinationUser",
    "u_device_product": "Product",
    "u_device_vendor": "@items('Alert_System_ID')?['properties']?['productName']",
    "u_incident_use_case": "@items('Alert_System_ID')?['properties']?['friendlyName']",
    "u_number": "@{triggerBody()?['object']?['properties']?['incidentNumber']}",
    "u_priority": "@variables('Severity')",
    "u_short_description": "ProSOC Alert Notification -- @{triggerBody()?['object']?['properties']?['createdTimeUtc']} -- @{items('Alert_System_ID')?['properties']?['alertDisplayName']}",
    "u_siem_event_url": "@triggerBody()?['object']?['properties']?['incidentUrl']",
    "u_siem_notification": "Proficio has detected \"@{items('Alert_System_ID')?['properties']?['alertDisplayName']}\nDescription of alert: @{triggerBody()?['object']?['properties']?['description']}\nRULE ID\nRULE ID\n\nRULE ID\nRULE ID\n\nAnalytic Operator: @{items('Alert_System_ID')?['properties']?['additionalData']?['Trigger Operator']}\nAnalytic Threshold: @{items('Alert_System_ID')?['properties']?['additionalData']?['Trigger Threshold']}\n\nEvent Time: \n\nEvent Name: @{items('Alert_System_ID')?['properties']?['friendlyName']}\nAuthenticating Address: 185.246.210.179\nUsername: graham.arnol\nCurrent Source Geo Country: CZ -\nConnection Id: 869593\n\nDevice Event Class ID: SSLVPN ICASTART\nDevice Address: 10.61.1.6\nDevice Host Name: MTACAG01\nDevice Vendor: Citrix\nDevice Product: NetScaler\n\nRecommended Steps: \nDetails of the event are as follows\nAnlytic Query: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query']}\n\nINCIDENT JSON: @{triggerBody()?['object']?['properties']}\nSPACE\nSPACE\nSPACE\nALERT JSON: @{items('Alert_System_ID')?['properties']}",
    "u_source": "SentTesting 2022-SEP-14-MSSP A1",
    "u_source_address": "1.2.3.4",
    "u_source_host_name": "MyLittlePony",
    "u_source_url": "https://nobodyishome.com",
    "u_source_user_name": "kentuckymike@somwhere.com",
    "u_tactic": "@{items('Alert_System_ID')?['properties']?['tactics']}",
    "u_use_case": "Use Cse: @{items('Alert_System_ID')?['properties']?['friendlyName']}",
    "u_use_case_library": "Use Case Library"
    },
    "host": {
    "connection": {
    "name": "@parameters('$connections')['service-now']['connectionId']"
    }
    },
    "method": "post",
    "path": "/api/now/v2/table/@{encodeURIComponent('u_microsoft_sentinel_event')}",
    "queries": {
    "sysparm_display_value": false,
    "sysparm_exclude_reference_link": true
    }
    },
    "runAfter": {},
    "type": "ApiConnection"
    }
    },
    "foreach": "@triggerBody()?['object']?['properties']?['Comments']",
    "runAfter": {},
    "type": "Foreach"
    }
    },
    "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
    "runAfter": {
    "Switch": [
    "Succeeded"
    ]
    },
    "type": "Foreach"
    },
    "Initialize_variable": {
    "inputs": {
    "variables": [
    {
    "name": "Severity",
    "type": "string",
    "value": "3"
    }
    ]
    },
    "runAfter": {},
    "type": "InitializeVariable"
    },
    "Switch": {
    "cases": {
    "Case_Severity_High": {
    "actions": {
    "Set_variable": {
    "inputs": {
    "name": "Severity",
    "value": "High"
    },
    "runAfter": {},
    "type": "SetVariable"
    }
    },
    "case": "High"
    },
    "Case_Severity_Low": {
    "actions": {
    "Set_variable_3": {
    "inputs": {
    "name": "Severity",
    "value": "Low"
    },
    "runAfter": {},
    "type": "SetVariable"
    }
    },
    "case": "Low"
    },
    "Case_Severity_Medium": {
    "actions": {
    "Set_variable_2": {
    "inputs": {
    "name": "Severity",
    "value": "Medium"
    },
    "runAfter": {},
    "type": "SetVariable"
    }
    },
    "case": "Medium"
    }
    },
    "default": {
    "actions": {}
    },
    "expression": "@triggerBody()?['object']?['properties']?['severity']",
    "runAfter": {
    "Initialize_variable": [
    "Succeeded"
    ]
    },
    "type": "Switch"
    }

    "parameters": {},  
    "functions": [],  
    "variables": {},  
    "resources": [],  
    "outputs": {}  
    

    }


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.