question

AbubakrSiddiq-4301 avatar image
0 Votes"
AbubakrSiddiq-4301 asked MikeUrnun commented

Unable to utilize logics apps to feed data in a watchlist

Hey,

I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this.

TIA

azure-logic-appsazure-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AbubakrSiddiq-4301 - Could you confirm that you're using the "Watchlists - Add a new watchlist item" action? Also, I would try in Code View as well.


0 Votes 0 ·
AbubakrSiddiq-4301 avatar image
0 Votes"
AbubakrSiddiq-4301 answered AbubakrSiddiq-4301 edited

131072-watchlistactionlogicapp.pngHey @MikeUrnun - Yep I am using that particular action, attaching pictures for reference.
131071-watchlistlogicapp.png131028-logicappruntimedetails.png



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AbubakrSiddiq-4301 - My apologies for the late reply. If you're still encountering this issue, it looks like the "Add items to watchlist" actions are being skipped because there may not have been any data flowing through from the upstream trigger/actions. Did you check the RunHistory and validate if the correct set of data is actually being populated from the trigger itself?

0 Votes 0 ·
MikeUrnun avatar image
0 Votes"
MikeUrnun answered MikeUrnun commented

Hello @AbubakrSiddiq-4301 - I read your discussion on the Tech Community link and it looks like the same observation was made for the root cause of the issue. Logic Apps workflows execute in a top-down direction so the trigger is the component that is supposed to feed data to the rest of the subsequent Actions in your workflow. In your case, you're getting successful runs but yet no data is flowing through your workflow.

As such, in order to investigate further and as the next step, I recommend that you carefully review the Run History (of the successful runs of your Logic App workflow) and validate the inputs and outputs from the trigger as well as from parallel branches of actions: Entities - Get Accounts, Entities - Get Hosts, etc.

The exact steps on how to review Trigger and Run histories separately in greater detail are on the following documentation: Monitor run status, review trigger history, and set up alerts for Azure Logic Apps

Also, I found the following blog post which seems to be implementing a similar workflow: How to Use the Watchlists Logic App Connector for Azure Sentinel

Let me know if you find something in the Trigger/Run History or run out of options, I'd be happy to dig deeper and help you get the workflow up and running.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @MikeUrnun thank you for the feedback, this is where I am getting it, I did some troubleshooting but unfortunately wasn't able to fetch the issue of why the data is not flowing through, however, I will check your provided logic app link.

About the workflow, by Rod, I followed it and reached out to him but that didn't work, it wasn't executable or we can say a lot has changed since that blog release in Watchlists.

0 Votes 0 ·
MikeUrnun avatar image MikeUrnun AbubakrSiddiq-4301 ·

@AbubakrSiddiq-4301 Yes, check out that doc on how to troubleshoot using trigger/run history. Since your trigger is firing in response to an event, you should be able to drill down in the trigger history to probe the input event data as well as the output data that should have been passed down to your parallel branches. I'd also look at Run History and do the same drill down into the input data of the parallel actions too.

0 Votes 0 ·