There are two problems going on. First is that it doesn't happen with ALL of the incidents I try to run it with, only some of them. Can't see a difference between the ones that will run and the ones that will not.
That is the screenshot of the "Error"
Here's what I mean by it works sometimes. This was the run prior to the above skipped one:
In anticipation of asking for the code, it's pasted below:
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_System_ID": {
"actions": {
"Incident_Comments": {
"actions": {
"Create_Record": {
"inputs": {
"body": {
"sys_created_by": "@items('Alert_System_ID')?['properties']?['systemAlertId']",
"u_additional_info": "Additional Information Comments",
"u_alert_rule": "Test 49",
"u_company": "SentinelSentinelLabs @{triggerBody()?['workspaceInfo']?['WorkspaceName']}",
"u_compliance_library": "Compliance Library",
"u_cs1": "Incident Generated Time: @{triggerBody()?['object']?['properties']?['createdTimeUtc']}",
"u_cs2": "Playbook Name ProSOCLabs-SNOW-EVT",
"u_cs3": "Alert Time Generated @{items('Alert_System_ID')?['properties']?['timeGenerated']}",
"u_cs4": "Query Start Time: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query Start Time UTC']}",
"u_cs5": "Query End Time: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query End Time UTC']}",
"u_cs6": "Comments: @{items('Incident_Comments')}",
"u_description": "@triggerBody()?['object']?['properties']?['description']",
"u_destination_address": "1.2.3.4",
"u_destination_host_name": "DestinationHost",
"u_destination_user_name": "DestinationUser",
"u_device_product": "Product",
"u_device_vendor": "@items('Alert_System_ID')?['properties']?['productName']",
"u_incident_use_case": "@items('Alert_System_ID')?['properties']?['friendlyName']",
"u_number": "@{triggerBody()?['object']?['properties']?['incidentNumber']}",
"u_priority": "@variables('Severity')",
"u_short_description": "ProSOC Alert Notification -- @{triggerBody()?['object']?['properties']?['createdTimeUtc']} -- @{items('Alert_System_ID')?['properties']?['alertDisplayName']}",
"u_siem_event_url": "@triggerBody()?['object']?['properties']?['incidentUrl']",
"u_siem_notification": "Proficio has detected \"@{items('Alert_System_ID')?['properties']?['alertDisplayName']}\nDescription of alert: @{triggerBody()?['object']?['properties']?['description']}\nRULE ID\nRULE ID\n\nRULE ID\nRULE ID\n\nAnalytic Operator: @{items('Alert_System_ID')?['properties']?['additionalData']?['Trigger Operator']}\nAnalytic Threshold: @{items('Alert_System_ID')?['properties']?['additionalData']?['Trigger Threshold']}\n\nEvent Time: \n\nEvent Name: @{items('Alert_System_ID')?['properties']?['friendlyName']}\nAuthenticating Address: 185.246.210.179\nUsername: graham.arnol\nCurrent Source Geo Country: CZ -\nConnection Id: 869593\n\nDevice Event Class ID: SSLVPN ICASTART\nDevice Address: 10.61.1.6\nDevice Host Name: MTACAG01\nDevice Vendor: Citrix\nDevice Product: NetScaler\n\nRecommended Steps: \nDetails of the event are as follows\nAnlytic Query: @{items('Alert_System_ID')?['properties']?['additionalData']?['Query']}\n\nINCIDENT JSON: @{triggerBody()?['object']?['properties']}\nSPACE\nSPACE\nSPACE\nALERT JSON: @{items('Alert_System_ID')?['properties']}",
"u_source": "SentTesting 2022-SEP-14-MSSP A1",
"u_source_address": "1.2.3.4",
"u_source_host_name": "MyLittlePony",
"u_source_url": "https://nobodyishome.com",
"u_source_user_name": "kentuckymike@somwhere.com",
"u_tactic": "@{items('Alert_System_ID')?['properties']?['tactics']}",
"u_use_case": "Use Cse: @{items('Alert_System_ID')?['properties']?['friendlyName']}",
"u_use_case_library": "Use Case Library"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now']['connectionId']"
}
},
"method": "post",
"path": "/api/now/v2/table/@{encodeURIComponent('u_microsoft_sentinel_event')}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@triggerBody()?['object']?['properties']?['Comments']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"runAfter": {
"Switch": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "Severity",
"type": "string",
"value": "3"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Switch": {
"cases": {
"Case_Severity_High": {
"actions": {
"Set_variable": {
"inputs": {
"name": "Severity",
"value": "High"
},
"runAfter": {},
"type": "SetVariable"
}
},
"case": "High"
},
"Case_Severity_Low": {
"actions": {
"Set_variable_3": {
"inputs": {
"name": "Severity",
"value": "Low"
},
"runAfter": {},
"type": "SetVariable"
}
},
"case": "Low"
},
"Case_Severity_Medium": {
"actions": {
"Set_variable_2": {
"inputs": {
"name": "Severity",
"value": "Medium"
},
"runAfter": {},
"type": "SetVariable"
}
},
"case": "Medium"
}
},
"default": {
"actions": {}
},
"expression": "@triggerBody()?['object']?['properties']?['severity']",
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Switch"
}
"parameters": {},
"functions": [],
"variables": {},
"resources": [],
"outputs": {}
}