Error 400 - Restrict-MDEIPAddress

[tora1104]

Used the deploy to Azure button for alert trigger from https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Restrict-MDEIPAddress.

Followed the instructions to add permissions -
$MIGuid = ""
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName = "Ti.ReadWrite"

$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$.Value -eq $PermissionName -and $.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id

Getting the following error:
"error": {
"code": 400,
"source": "logic-apis-northcentralus.azure-apim.net",
"clientRequestId": "10029ec8-a4dc-4760-a4c5-b7d208dd07b7",
"message": "The response is not in a JSON format.",
"innerError": "Invalid subscription id or resource group or API connection"

Check the subscription ID and resource group - both are correct. Not sure how to check the API connection but verified I ran the above to give the managed identity permissions.

What am I missing?

Thanks for your help!

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[dicolanl]

Hi @tora1104 which step threw this error? could you share a screenshot?

[tora1104]

The Alert-Get Incident step erred out -

[dicolanl]

This doesnt look like a permissions issue or issue with the API connection config per se. I recommend you open a support ticket as it appears the connector is having an issue.

[tora1104]

Bummer, ok, I'll give that a shot.

Thanks for reviewing.

[samikroy]

@tora1104 & @dicolanl - Was able to fix this by assigning Microsoft Sentinel Reader at Resource group for the MSI.
And have created PR #4077 to embed the script for the same.
Request you review .

[tora1104]

@samikroy Thanks for the info!

I opened a ticket and was given similar instructions on giving the managed identity Microsoft Sentinel Reader permissions - but this was at the Sentinel level instead of the resource group. Not sure if that matters? I just tested and it worked.

Here is the link they sent me - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204

Was missing this part -

[dicolanl]

RG will roll down to the sentinel workspace level. either works. Ill look to add this to the deployment template too!

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.