Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Is there a bug in filtering by severity?

Copper Contributor

The sample works (using fake data)

https://graph.microsoft.com/beta/security/alerts?filter=Severity eq 'High'&$top=5

 

But if I use the same call with a bearer token, it returns ->

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
"value": []
}

(same for Medium, Low and just in case, tried high, medium and low)

 

If I make up a severity name, it returns ->

{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"request-id": "20fbaaca-8f2c-4c86-9d2c-f990ca3cfe86",
"date": "2018-09-11T15:47:23"
}
}
}

 

So I'm thinking it is a bug ... does filtering by severity work for anyone else?  

5 Replies
Creighton, when using your bearer token are you getting alerts back without filter? i.e. https://graph.microsoft.com/beta/security/alerts

Yes ... the alerts work if I remove the filter

 

I can add other arguments like   ?$orderby=eventDateTime+desc  and it works as expected 

 

Just returns [] when filtering by severity 

Thank you for your feedback. A bug report has been filed, and the team is investigating the root cause of this issue.
best response confirmed by Creighton Medley (Copper Contributor)
Solution
Creighton, we have resolved the bug that surfaced due to the recent Alert Schema update. Please verify that it now works correctly. Thank you again for your feedback.

Works!

1 best response

Accepted Solutions
best response confirmed by Creighton Medley (Copper Contributor)
Solution
Creighton, we have resolved the bug that surfaced due to the recent Alert Schema update. Please verify that it now works correctly. Thank you again for your feedback.

View solution in original post