Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,840 questions
Sentinel playbook in Azure Logic Apps retrieves an incident URL that points to an old, deleted resource group instead of the current one
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Conor Boland
21
Reputation points
Hi, I'm trying to create a playbook in Azure Logic Apps that uses the "When Azure Sentinel incident creation rule was triggered" step as a trigger. This step is supposed to start when an incident is created and retrieve details about the incident for use in later steps.
The playbook works almost perfectly, but the incident URL and incident ARM ID returned by the trigger refer to an old Resource Group that no longer exists. If I swap the correct Resource Group into the link and ARM ID, then both work exactly as they should. It seems like there must be some reference to the old Resource Group still in Azure somewhere, but I haven't been able to figure out how or where to correct this issue and update things to only reference the current Resource Group.
The link provided by the trigger looks like the following, and the correct, working link that I should be getting is exactly the same, but with the correct resource group in place of the incorrect one.
https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/<subscription-id>/resourceGroups/<incorrect-resource-group>/providers/Microsoft.OperationalInsights/workspaces/<log-analytics-workspace>/providers/Microsoft.SecurityInsights/Incidents/<incident-id>
Does anyone have any ideas on how I would go about fixing this?