Sentinel playbook in Azure Logic Apps retrieves an incident URL that points to an old, deleted resource group instead of the current one

Conor Boland 21 Reputation points

Hi, I'm trying to create a playbook in Azure Logic Apps that uses the "When Azure Sentinel incident creation rule was triggered" step as a trigger. This step is supposed to start when an incident is created and retrieve details about the incident for use in later steps.

The playbook works almost perfectly, but the incident URL and incident ARM ID returned by the trigger refer to an old Resource Group that no longer exists. If I swap the correct Resource Group into the link and ARM ID, then both work exactly as they should. It seems like there must be some reference to the old Resource Group still in Azure somewhere, but I haven't been able to figure out how or where to correct this issue and update things to only reference the current Resource Group.

The link provided by the trigger looks like the following, and the correct, working link that I should be getting is exactly the same, but with the correct resource group in place of the incorrect one.<subscription-id>/resourceGroups/<incorrect-resource-group>/providers/Microsoft.OperationalInsights/workspaces/<log-analytics-workspace>/providers/Microsoft.SecurityInsights/Incidents/<incident-id>

Does anyone have any ideas on how I would go about fixing this?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
1,818 questions
No comments
{count} votes