Sentinel playbook in Azure Logic Apps retrieves an incident URL that points to an old, deleted resource group instead of the current one

Question

Hi, I'm trying to create a playbook in Azure Logic Apps that uses the "When Azure Sentinel incident creation rule was triggered" step as a trigger. This step is supposed to start when an incident is created and retrieve details about the incident for use in later steps.

The playbook works almost perfectly, but the incident URL and incident ARM ID returned by the trigger refer to an old Resource Group that no longer exists. If I swap the correct Resource Group into the link and ARM ID, then both work exactly as they should. It seems like there must be some reference to the old Resource Group still in Azure somewhere, but I haven't been able to figure out how or where to correct this issue and update things to only reference the current Resource Group.

The link provided by the trigger looks like the following, and the correct, working link that I should be getting is exactly the same, but with the correct resource group in place of the incorrect one.

https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/<subscription-id>/resourceGroups/<incorrect-resource-group>/providers/Microsoft.OperationalInsights/workspaces/<log-analytics-workspace>/providers/Microsoft.SecurityInsights/Incidents/<incident-id>

Does anyone have any ideas on how I would go about fixing this?

Answer 1

This usually happens when the Log Analytics workspace / Microsoft Sentinel workspace was moved to another resource group after Sentinel had already been enabled. Microsoft documents that moving a workspace after Microsoft Sentinel is deployed isn’t supported, and one of the side effects can be stale resource IDs/paths being returned by analytics/playbook workflows. Microsoft’s guidance for cases where the workspace was already moved is to disable all active Analytics rules, wait about five minutes, and then enable them again.

A few things to check:

Confirm whether the Sentinel-enabled Log Analytics workspace was ever moved to a different resource group/subscription.

If yes, go to Sentinel > Analytics, disable the active rules, wait ~5 minutes, then re-enable them.

Re-save or recreate any automation rules/playbook bindings so they pick up the current workspace resource ID.

In the playbook, avoid relying on an old hard-coded ARM ID or URL. The current Sentinel incident trigger exposes workspace info fields including subscription ID, workspace name/ID, and resource group name, so use those current values where possible.

If it still returns the deleted resource group after that, the bad reference is likely stuck because the workspace move itself is unsupported. In that case, the clean fix is usually to deploy Sentinel on a new workspace in the correct resource group and migrate your content rather than trying to repair the old metadata in place. Microsoft also notes that once Sentinel is deployed on a workspace, it doesn’t support moving that workspace to another resource group or subscription.

So, this is not really a Logic Apps bug to fix inside the playbook, it’s most likely a stale workspace/resource ID problem caused by an unsupported workspace move.