search

Azure / LogicAppsUX

https://learn.microsoft.com/azure/logic-apps
MIT License
77 stars 83 forks source link

Logic Apps - Update Sentinel incident - Status Closed Classification disappear GUI #4684

Closed AlexLandertown closed 6 months ago

AlexLandertown commented 6 months ago

Describe the Bug with repro steps

Create new playbook in Sentinel Automation Create a Logic App with Update Incident as an action Select Status Closed and fill Classification Save the Logic App Quit and comeback to the Logic App Look if the Classification is still there (In designer, still in the Logic App Code) => In my case, the Classification part just disappear without even saving the "new" code without it. If you change connection at the bottow of the action, it may reappear.

What type of Logic App Is this happening in?

Consumption (Portal)

Are you using new designer or old designer

New Designer

Did you refer to the TSG before filing this issue? https://aka.ms/lauxtsg

No

Workflow JSON

{
  "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "actions": {
          "Compose": {
              "inputs": {
                  "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
                  "body": [
                      {
                          "size": "large",
                          "text": "New Microsoft Sentinel incident created",
                          "type": "TextBlock",
                          "wrap": true
                      },
                      {
                          "columns": [
                              {
                                  "items": [
                                      {
                                          "size": "Small",
                                          "style": "Person",
                                          "type": "Image",
                                          "url": "https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png"
                                      }
                                  ],
                                  "type": "Column",
                                  "width": "stretch"
                              },
                              {
                                  "items": [
                                      {
                                          "text": "[Click here to view the incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})",
                                          "type": "TextBlock",
                                          "wrap": true
                                      }
                                  ],
                                  "type": "Column",
                                  "width": "stretch"
                              }
                          ],
                          "type": "ColumnSet"
                      },
                      {
                          "facts": [
                              {
                                  "title": "Incident Title",
                                  "value": "@{triggerBody()?['object']?['properties']?['title']}"
                              },
                              {
                                  "title": "Incident ID",
                                  "value": "@{triggerBody()?['object']?['properties']?['incidentNumber']}"
                              },
                              {
                                  "title": "Incident Creation Time",
                                  "value": "@{triggerBody()?['object']?['properties']?['createdTimeUtc']}"
                              },
                              {
                                  "title": "Severity",
                                  "value": "@{triggerBody()?['object']?['properties']?['severity']}"
                              },
                              {
                                  "title": "Alert Providers",
                                  "value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')}"
                              },
                              {
                                  "title": "Tactics",
                                  "value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '; ')}"
                              },
                              {
                                  "title": "Incident Description",
                                  "value": "@{triggerBody()?['object']?['properties']?['description']}"
                              }
                          ],
                          "type": "FactSet"
                      },
                      {
                          "separator": true,
                          "size": "Large",
                          "spacing": "Large",
                          "text": "Respond:",
                          "type": "TextBlock",
                          "weight": "Bolder",
                          "wrap": true
                      },
                      {
                          "text": "Close Microsoft Sentinel incident?",
                          "type": "TextBlock",
                          "wrap": true
                      },
                      {
                          "choices": [
                              {
                                  "title": "Close incident - False Positive",
                                  "value": "FalsePositive - IncorrectAlertLogic"
                              },
                              {
                                  "title": "Close incident - True Positive",
                                  "value": "TruePositive - SuspiciousActivity"
                              },
                              {
                                  "title": "Close incident - Benign Positive",
                                  "value": "BenignPositive - SuspiciousButExpected"
                              },
                              {
                                  "title": "Don't close the incident",
                                  "value": "no"
                              }
                          ],
                          "id": "incidentStatus",
                          "placeholder": "Placeholder text",
                          "type": "Input.ChoiceSet",
                          "value": "no"
                      },
                      {
                          "text": "Change Microsoft Sentinel incident severity?",
                          "type": "TextBlock",
                          "wrap": true
                      },
                      {
                          "choices": [
                              {
                                  "title": "High",
                                  "value": "High"
                              },
                              {
                                  "title": "Medium",
                                  "value": "Medium"
                              },
                              {
                                  "title": "Low",
                                  "value": "Low"
                              },
                              {
                                  "title": "Informational",
                                  "value": "Informational"
                              },
                              {
                                  "title": "Don't change",
                                  "value": "same"
                              }
                          ],
                          "id": "incidentSeverity",
                          "placeholder": "Placeholder text",
                          "type": "Input.ChoiceSet",
                          "value": "same"
                      },
                      {
                          "actions": [
                              {
                                  "title": "Submit",
                                  "type": "Action.Submit"
                              }
                          ],
                          "type": "ActionSet"
                      }
                  ],
                  "type": "AdaptiveCard",
                  "version": "1.4"
              },
              "runAfter": {},
              "type": "Compose"
          },
          "Condition": {
              "actions": {
                  "Update_incident": {
                      "inputs": {
                          "body": {
                              "incidentArmId": "@triggerBody()?['object']?['id']",
                              "severity": "@{body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentSeverity']}"
                          },
                          "host": {
                              "connection": {
                                  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                              }
                          },
                          "method": "put",
                          "path": "/Incidents"
                      },
                      "type": "ApiConnection"
                  }
              },
              "else": {
                  "actions": {}
              },
              "expression": {
                  "and": [
                      {
                          "not": {
                              "equals": [
                                  "@body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentSeverity']",
                                  "same"
                              ]
                          }
                      }
                  ]
              },
              "runAfter": {
                  "Update_an_adaptive_card_in_a_chat_or_channel": [
                      "Succeeded"
                  ]
              },
              "type": "If"
          },
          "Condition_1": {
              "actions": {
                  "Update_incident_1": {
                      "inputs": {
                          "body": {
                              "classification": {
                                  "ClassificationAndReason": "@body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentStatus']",
                                  "ClassificationReasonText": "User choice from Send Teams adaptive card on incident creation playbook."
                              },
                              "incidentArmId": "@triggerBody()?['object']?['id']",
                              "status": "Closed"
                          },
                          "host": {
                              "connection": {
                                  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                              }
                          },
                          "method": "put",
                          "path": "/Incidents"
                      },
                      "type": "ApiConnection"
                  }
              },
              "else": {
                  "actions": {}
              },
              "expression": {
                  "and": [
                      {
                          "not": {
                              "equals": [
                                  "@body('Post_Adaptive_Card_and_wait_for_a_response')?['data']?['incidentStatus']",
                                  "no"
                              ]
                          }
                      }
                  ]
              },
              "runAfter": {
                  "Condition": [
                      "Succeeded"
                  ]
              },
              "type": "If"
          },
          "Post_adaptive_card_and_wait_for_a_response": {
              "inputs": {
                  "body": {
                      "body": {
                          "messageBody": "@{outputs('Compose')}",
                          "recipient": {
                              "channelId": "",
                              "groupId": ""
                          }
                      },
                      "notificationUrl": "@{listCallbackUrl()}"
                  },
                  "host": {
                      "connection": {
                          "name": "@parameters('$connections')['teams']['connectionId']"
                      }
                  },
                  "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions"
              },
              "runAfter": {
                  "Compose": [
                      "Succeeded"
                  ]
              },
              "type": "ApiConnectionWebhook"
          },
          "Update_an_adaptive_card_in_a_chat_or_channel": {
              "inputs": {
                  "body": {
                      "messageBody": "{\n  \"type\": \"AdaptiveCard\",\n  \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n  \"version\": \"1.4\",\n  \"body\": [\n    {\n      \"type\": \"TextBlock\",\n      \"text\": \"Microsoft Sentinel incident assigned\",\n      \"wrap\": true,\n      \"size\": \"large\"\n    },\n    {\n      \"type\": \"ColumnSet\",\n      \"columns\": [\n        {\n          \"type\": \"Column\",\n          \"width\": \"stretch\",\n          \"items\": [\n            {\n              \"type\": \"Image\",\n              \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n              \"size\": \"Small\",\n              \"style\": \"Person\"\n            }\n          ]\n        },\n        {\n          \"type\": \"Column\",\n          \"width\": \"stretch\",\n          \"items\": [\n            {\n              \"type\": \"TextBlock\",\n              \"text\": \"[Click here to view the incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n              \"wrap\": true\n            }\n          ]\n        }\n      ]\n    },\n    {\n      \"type\": \"FactSet\",\n      \"facts\": [\n        {\n          \"title\": \"Incident Title\",\n          \"value\": \"@{triggerBody()?['object']?['properties']?['title']}\"\n        },\n        {\n          \"title\": \"Incident ID\",\n          \"value\": \"@{triggerBody()?['object']?['properties']?['incidentNumber']}\"\n        },\n        {\n          \"title\": \"Incident Creation Time\",\n          \"value\": \"@{triggerBody()?['object']?['properties']?['createdTimeUtc']}\"\n        },\n        {\n          \"title\": \"Severity\",\n          \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n        },\n        {\n          \"title\": \"Alert Providers\",\n          \"value\": \"@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')}\"\n        },\n        {\n          \"title\": \"Tactics\",\n          \"value\": \"@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '; ')}\"\n        },\n        {\n          \"title\": \"Incident Description\",\n          \"value\": \"@{triggerBody()?['object']?['properties']?['description']}\"\n        }\n      ]\n    },\n    {\n      \"type\": \"TextBlock\",\n      \"text\": \"Assigned:\",\n      \"wrap\": true,\n      \"spacing\": \"Large\",\n      \"separator\": true,\n      \"size\": \"Large\",\n      \"weight\": \"Bolder\"\n    },\n    {\n      \"type\": \"TextBlock\",\n      \"text\": \"@{triggerBody()?['object']?['properties']?['owner']?['userPrincipalName']}\",\n      \"wrap\": true\n    }\n  ]\n}",
                      "messageId": "@{outputs('Post_adaptive_card_and_wait_for_a_response')?['body/messageId']}",
                      "recipient": {
                          "channelId": "",
                          "groupId": ""
                      }
                  },
                  "host": {
                      "connection": {
                          "name": "@parameters('$connections')['teams']['connectionId']"
                      }
                  },
                  "method": "post",
                  "path": "/v1.0/teams/conversation/updateAdaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')}"
              },
              "runAfter": {
                  "Update_incident_2": [
                      "Succeeded"
                  ]
              },
              "type": "ApiConnection"
          },
          "Update_incident_2": {
              "inputs": {
                  "body": {
                      "incidentArmId": "@triggerBody()?['object']?['id']",
                      "owner": "@{body('Post_Adaptive_Card_and_wait_for_a_response')?['responder']?['objectid']}",
                      "ownerAction": "Assign"
                  },
                  "host": {
                      "connection": {
                          "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                      }
                  },
                  "method": "put",
                  "path": "/Incidents"
              },
              "runAfter": {
                  "Post_adaptive_card_and_wait_for_a_response": [
                      "Succeeded"
                  ]
              },
              "type": "ApiConnection"
          }
      },
      "contentVersion": "1.0.0.0",
      "outputs": {},
      "parameters": {
          "$connections": {
              "defaultValue": {},
              "type": "Object"
          }
      },
      "triggers": {
          "Microsoft_Sentinel_incident": {
              "inputs": {
                  "body": {
                      "callback_url": "@{listCallbackUrl()}"
                  },
                  "host": {
                      "connection": {
                          "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                      }
                  },
                  "path": "/incident-creation"
              },
              "type": "ApiConnectionWebhook"
          }
      }
  },
  "parameters": {
      "$connections": {
          "value": {
              "azuresentinel": {
                  "connectionId": "",
                  "connectionName": "azuresentinel-Send-Teams-Adaptive-Card-on-incident-creation",
                  "connectionProperties": {
                      "authentication": {
                          "type": "ManagedServiceIdentity"
                      }
                  },
                  "id": ""
              },
              "teams": {
                  "connectionId": "",
                  "connectionName": "",
                  "id": ""
              }
          }
      }
  }
}

Screenshots or Videos

2024-04-23 14_18_49-Send-Teams-Adaptive-Card-2 - Microsoft Azure — Mozilla Firefox 2024-04-23 14_18_22-

Browser

Firefow

Additional context

No response

AlexLandertown commented 6 months ago

Let me add : Even if it is in the Code, when you modify by the GUI and Save your changes, the classification is removed from the Code and that's a real problem.

hartra344 commented 6 months ago

Is classification part of the swagger? The UI will only support the properties/fields that the action says is available.

AlexLandertown commented 6 months ago

Yes it is. When I created the Logic App, I saw the Classification field in the Logic App Designer UI when I selected Status Closed as you can see in this picture find in this post https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-microsoft-teams-adaptive-cards-to-enhance-incident/ba-p/3330941. BenjiSec_9-1651826190001

Eric-B-Wu commented 6 months ago

Would you be able to see if the issue is fixed in: http://portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_EMA=hotfix#home We're currently hotfixing a different issue, but it may be linked with this one

AlexLandertown commented 6 months ago

Hi Eric, Yeah it seems fixed with the hotfix. You know when it'll be live?

Eric-B-Wu commented 6 months ago

We tried to hotfix this yesterday, however one of our depedent services for deployment ended up failing. We'll follow up with them today, and see if we can get this hotfixed ASAP.

hartra344 commented 6 months ago

@AlexLandertown as Eric said, we'll try to get this fully hotfixed today but feel free to use the link above in the meantime

Eric-B-Wu commented 6 months ago

deployment has now finished in all regions