The ARM ID is the fully qualified ID starting with forward slash subscription:
/subscriptions/d1d8779d-38d7-4f06-91db-XXXXXXXXXXXX/resourceGroups/soc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/Incidents/8524bc04-5916-c007-13a0-d53048ebfb27
You can use a parser in your logic app to split the ARM ID from the URL. If you are doing a KQL query you can parse within your query to output the ID. You can construct the ARM ID with variables for the subscription, resource group, and workspace names.
You might also try experimenting with the different Sentinel logic app activities. There is a get-incident and a get-alert. One of them automatically parses out the ARM ID. I just don't recall which at the moment. This is by far the easiest option. If I recall a alert-based trigger is often followed with a get-incident activity to return the ARM ID for use in later requests.