Forum Discussion
Azure REST API - $filter param for time delta throws ProviderError
Hello All,
We are facing issues with the Azure API endpoint for fetching security alerts based on given time filter.
Azure API Documentation Link and screenshot for the API section,
We encountered the following error while hitting the endpoint with the required params and Bearer access token.
Error Details:
{
"error": {
"code": "ProviderError",
"message": "Resource provider 'Microsoft.Security' failed to return collection response for type 'alerts'."
}
}
Endpoint URL:
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{ResourceGroup}/providers/Microsoft.Security/alerts?api-version={version}}&$filter=properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z'
NOTE:
The URL gives response without specifying the time βfilterβ , but when using filter as one of the params, we get the above mentioned error.
The param value used: $filter = properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z'
Could anyone help in the resolution of this issue? Let me know for any additional details/clarifications. Thank You.
- jaxjohnnyCopper Contributor
We are using the REST API to pull in Azure Security Center Alerts as well. We use the reported time as a check point, but the API throws and error pulling the $filter parameter, therefore it pulls in all alerts every time.
This is costing us real money as it consumes our SEIM license, and creates redundant non-useable data on disk.
Just wanted to say me too. π
- jaxjohnnyCopper Contributor
I received an update from our dev that you will need to use the correct API version using the following supported query. Please review below and let us know if you have additional questions or concerns.
Update from dev:
This is how you write the query, this is supported:
https://management.azure.com/subscriptions/{Sub ID}/providers/Microsoft.Security/alerts/?api-version=2019-01-01&$filter=Properties/ReportedTimeUtc gt 2019-10-22T01:40:02.4275428Z
1) Properties/ReportedTimeUtc is case sensitive
2) Notice the use of a β/β instead of β.β
- hello1990Copper Contributor
1. u need use '/' instead of '.'
2. seems the $filter in alert response need uppercase letter.
https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=2019-01-01&$filter=Properties/AlertName eq 'Network_TrafficFromUnrecommendedIP'
this works but if you change to
https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=2019-01-01&$filter=properties/alertName eq 'Network_TrafficFromUnrecommendedIP'
will failed. event the response json array is lower letter here. hope this will help you.
"properties": { "vendorName": "Microsoft", "alertDisplayName": "Traffic detected from IP addresses recommended for blocking", "alertName": "Network_TrafficFromUnrecommendedIP", "detectedTimeUtc": "2020-04-01T08:00:00Z",