Logic App - Microsoft Sentinel Update Incident Action Fails to Close an Incident

Question

Logic App - Microsoft Sentinel Update Incident Action Fails to Close an Incident with the following error -

"innerError": "Can not close incident without classification reason"  

However, in the parameter list, there is no option to set a classification reason. There is only one option to set the classification. See attached image. I think this is a bug in the Update Incident action.

Answer 1

Hello @Sivasubramaniam Sivakumar

You need to populate the following fields when closing an incident

• Status
• Classification Reason
• Close reason text

Classification reason and Close reason text only appears if you select one of the drop downs. When building the logic app I would advise you pick "Closed" in the status and populate the the reason and reason text. Once you have done this, change the Status to your dynamic content and the logic app designer will magically transform your values to the "Classification" parameter and populate this with the relevant JSON payload. Alternatively just populate the classification parameter manually.

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair

Answer 2

@Sivasubramaniam Sivakumar Thanks for reaching out. I couldn't observe the same behavior at my end. I can see classification property gets populated once the status property was changed to Close or any dynamic property as below.

In case if you still observe the same issue then please share the SKU of your logic app (consumption/standard) along with the region where you have deployed your logic app. The action Update incident is still in preview as you can see the preview under the action and there could be multiple improvements/enhancement on this action till it became GA.