Forum Discussion
Retrieve alerts for a certain date (range)?
Edward Koval Thanks for the reply.
I tried to filter in the Graph explorer and it worked with a filter like this: /security/alerts?$filter=createdDateTime gt 2019-04-01T00:00:00.000Z and createdDateTime lt 2019-05-05T00:00:00.000Z
I implemented in in my Powershell script and export the results to a CSV to get an impression about the data that is retrieved. It looks like there are records with a createdDateTime that should not be in the results.
Example code:
$TodayYMD = Get-Date -format "yyyy-MM-dd"
$Temp = (Get-date).AddDays(-1)
$YesterdayYMD = Get-Date $Temp -Format "yyyy-MM-dd"
$Temp = (Get-date).AddDays(1)
$TomorrowYMD = Get-Date $Temp -Format "yyyy-MM-dd"
(...)
# Retrieve just the alerts that are in a certain time frame
[uri]$uriGraphEndpoint = "https://graph.microsoft.com/v1.0/security/alerts?`$filter=createdDateTime%20gt%20" + $YesterdayYMD + "T00:00:00.000Z%20and%20createdDateTime%20lt%20" + $TomorrowYMD + "T00:00:00.000Z"
Paging is used in the script but there was just one page with data available (213 items)
In the stored data there are creation dates (createdDateTime) like:
During execution the URL looks like: https://graph.microsoft.com/v1.0/security/alerts?$filter=createdDateTime gt 2019-07-29T00:00:00.000Z and createdDateTime lt 2019-07-31T00:00:00.000Z
So I still need to create a subset of the data:
$subset = $response.value | Where-Object {($_.createdDateTime -like "*$TodayYMD*") -or ($_.createdDateTime -like "*$YesterdayYMD*")} | Sort-Object createdDateTime
Any suggestions?
I would double check the API request that is made to Microsoft Graph to make sure it matches your query in Graph Explorer. Using the $filter query parameter should return the subset of alerts between your time range. If you continue to run into this issue, please send me a direct message with the request id and your Azure tenant id.
Edward KovalI did some checks and got the same result in the Graph Explorer. I did send you a personal message.