Home

Azure REST API - $filter param for time delta throws ProviderError

%3CLINGO-SUB%20id%3D%22lingo-sub-748451%22%20slang%3D%22en-US%22%3EAzure%20REST%20API%20-%20%24filter%20param%20for%20time%20delta%20throws%20ProviderError%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748451%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20facing%20issues%20with%20the%20Azure%20API%20endpoint%20for%20fetching%20security%20alerts%20based%20on%20given%20time%20filter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapc01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Frest%252Fapi%252Fsecuritycenter%252Falerts%252Flistbyresourcegroup%2523code-try-0%26amp%3Bdata%3D02%257C01%257Cannishprashan.stevi%2540hcl.com%257Ce89ea1593b4247b8b13f08d70530766b%257C189de737c93a4f5a8b686f4ca9941912%257C0%257C0%257C636983578009379205%26amp%3Bsdata%3DJavMX5P2vJPhQ5ERafc4kC5gxELv%252FEjtulWo%252B84xhIQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20API%20Documentation%20Link%3C%2FA%3E%26nbsp%3Band%20screenshot%20for%20the%20API%20section%2C%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20600px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122958iCB9580BDBFE930D6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22azure%20api%20doc.png%22%20title%3D%22azure%20api%20doc.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20encountered%20the%20following%20error%20while%20hitting%20the%20endpoint%20with%20the%20required%20params%20and%20Bearer%20access%20token.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EError%20Details%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22error%22%3A%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22code%22%3A%20%22ProviderError%22%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22message%22%3A%20%22Resource%20provider%20'Microsoft.Security'%20failed%20to%20return%20collection%20response%20for%20type%20'alerts'.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EEndpoint%20URL%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%7Bsubscription-id%7D%2FresourceGroups%2F%7BResourceGroup%7D%2Fproviders%2FMicrosoft.Security%2Falerts%3Fapi-version%3D%7Bversion%7D%7D%26amp%3B%24filter%3Dproperties.reportedTimeUtc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%7Bsubscription-id%7D%2FresourceGroups%2F%7BResourceGroup%7D%2Fproviders%2FMicrosoft.Security%2Falerts%3Fapi-version%3D%7Bversion%7D%7D%26amp%3B%24filter%3Dproperties.reportedTimeUtc%3C%2FA%3Eeq%20'2019-07-06T08%3A00%3A51.8801218Z'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ENOTE%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThe%20URL%20gives%20response%20without%20specifying%20the%20time%20%E2%80%9Cfilter%E2%80%9D%20%2C%20but%20when%20using%20filter%20as%20one%20of%20the%20params%2C%20we%20get%20the%20above%20mentioned%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EThe%20param%20value%20used%3A%3C%2FEM%3E%3C%2FSTRONG%3E%26nbsp%3B%20%24filter%20%3D%20properties.reportedTimeUtc%20eq%20'2019-07-06T08%3A00%3A51.8801218Z'%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122959iB1885D3429478E0F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22api%20doc%20filter%20param.png%22%20title%3D%22api%20doc%20filter%20param.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20anyone%20help%20in%20the%20resolution%20of%20this%20issue%3F%20Let%20me%20know%20for%20any%20additional%20details%2Fclarifications.%20Thank%20You.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-748451%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAPI%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Resource%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-905120%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20REST%20API%20-%20%24filter%20param%20for%20time%20delta%20throws%20ProviderError%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-905120%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20the%20REST%20API%20to%20pull%20in%20Azure%20Security%20Center%20Alerts%20as%20well.%20%26nbsp%3B%26nbsp%3B%26nbsp%3BWe%20use%20the%20reported%20time%20as%20a%20check%20point%2C%20but%20the%20API%20throws%20and%20error%20pulling%20the%20%24filter%20parameter%2C%20therefore%20it%20pulls%20in%20all%20alerts%20every%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20costing%20us%20real%20money%20as%20it%20consumes%20our%20SEIM%20license%2C%20and%20creates%20redundant%20non-useable%20data%20on%20disk.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wanted%20to%20say%20me%20too.%26nbsp%3B%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Annish_Prashanth
Occasional Visitor

Hello All,

 

We are facing issues with the Azure API endpoint for fetching security alerts based on given time filter.

 

Azure API Documentation Link and screenshot for the API section,

azure api doc.png

 

We encountered the following error while hitting the endpoint with the required params and Bearer access token.

 

Error Details:

{

    "error": {

        "code": "ProviderError",

        "message": "Resource provider 'Microsoft.Security' failed to return collection response for type 'alerts'."

    }

}

 

Endpoint URL:

https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{ResourceGroup}/provider... eq '2019-07-06T08:00:51.8801218Z'

 

 

NOTE:

The URL gives response without specifying the time “filter” , but when using filter as one of the params, we get the above mentioned error.

 

The param value used:  $filter = properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z'

api doc filter param.png

 

Could anyone help in the resolution of this issue? Let me know for any additional details/clarifications. Thank You.

 

 

 

2 Replies

 

We are using the REST API to pull in Azure Security Center Alerts as well.    We use the reported time as a check point, but the API throws and error pulling the $filter parameter, therefore it pulls in all alerts every time.

 

This is costing us real money as it consumes our SEIM license, and creates redundant non-useable data on disk.

 

Just wanted to say me too.  :) 

 

@Annish_Prashanth 

 

I received an update from our dev that you will need to use the correct API version using the following supported query. Please review below and let us know if you have additional questions or concerns.

 

Update from dev:

This is how you write the query, this is supported:

https://management.azure.com/subscriptions/{Sub ID}/providers/Microsoft.Security/alerts/?api-version=2019-01-01&$filter=Properties/ReportedTimeUtc gt 2019-10-22T01:40:02.4275428Z

 

1) Properties/ReportedTimeUtc is case sensitive

2) Notice the use of a ‘/’ instead of ‘.’

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies