SOLVED
Home

Is there a bug in filtering by severity?

%3CLINGO-SUB%20id%3D%22lingo-sub-251301%22%20slang%3D%22en-US%22%3EIs%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251301%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20sample%20works%20(using%20fake%20data)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3Ffilter%3DSeverity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3Ffilter%3DSeverity%3C%2FA%3E%20eq%20'High'%26amp%3B%24top%3D5%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20if%20I%20use%20the%20same%20call%20with%20a%20bearer%20token%2C%20it%20returns%20-%26gt%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22%40odata.context%22%3A%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2F%24metadata%23Security%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2F%24metadata%23Security%2Falerts%3C%2FA%3E%22%2C%3CBR%20%2F%3E%22value%22%3A%20%5B%5D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E(same%20for%20Medium%2C%20Low%20and%20just%20in%20case%2C%20tried%20high%2C%20medium%20and%20low)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20make%20up%20a%20severity%20name%2C%20it%20returns%20-%26gt%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22BadRequest%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22Invalid%20filter%20clause%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22request-id%22%3A%20%2220fbaaca-8f2c-4c86-9d2c-f990ca3cfe86%22%2C%3CBR%20%2F%3E%22date%22%3A%20%222018-09-11T15%3A47%3A23%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20thinking%20it%20is%20a%20bug%20...%20does%20filtering%20by%20severity%20work%20for%20anyone%20else%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253649%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253649%22%20slang%3D%22en-US%22%3E%3CP%3EWorks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253585%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253585%22%20slang%3D%22en-US%22%3ECreighton%2C%20we%20have%20resolved%20the%20bug%20that%20surfaced%20due%20to%20the%20recent%20Alert%20Schema%20update.%20Please%20verify%20that%20it%20now%20works%20correctly.%20Thank%20you%20again%20for%20your%20feedback.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252443%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252443%22%20slang%3D%22en-US%22%3EThank%20you%20for%20your%20feedback.%20A%20bug%20report%20has%20been%20filed%2C%20and%20the%20team%20is%20investigating%20the%20root%20cause%20of%20this%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251847%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251847%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20...%20the%20alerts%20work%20if%20I%20remove%20the%20filter%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20add%20other%20arguments%20like%26nbsp%3B%20%26nbsp%3B%3F%24orderby%3DeventDateTime%2Bdesc%26nbsp%3B%20and%20it%20works%20as%20expected%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20returns%20%5B%5D%20when%20filtering%20by%20severity%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251834%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251834%22%20slang%3D%22en-US%22%3ECreighton%2C%20when%20using%20your%20bearer%20token%20are%20you%20getting%20alerts%20back%20without%20filter%3F%20i.e.%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3C%2FA%3E%3C%2FLINGO-BODY%3E
Creighton Medley
New Contributor

The sample works (using fake data)

https://graph.microsoft.com/beta/security/alerts?filter=Severity eq 'High'&$top=5

 

But if I use the same call with a bearer token, it returns ->

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
"value": []
}

(same for Medium, Low and just in case, tried high, medium and low)

 

If I make up a severity name, it returns ->

{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"request-id": "20fbaaca-8f2c-4c86-9d2c-f990ca3cfe86",
"date": "2018-09-11T15:47:23"
}
}
}

 

So I'm thinking it is a bug ... does filtering by severity work for anyone else?  

5 Replies
Creighton, when using your bearer token are you getting alerts back without filter? i.e. https://graph.microsoft.com/beta/security/alerts

Yes ... the alerts work if I remove the filter

 

I can add other arguments like   ?$orderby=eventDateTime+desc  and it works as expected 

 

Just returns [] when filtering by severity 

Thank you for your feedback. A bug report has been filed, and the team is investigating the root cause of this issue.
Solution
Creighton, we have resolved the bug that surfaced due to the recent Alert Schema update. Please verify that it now works correctly. Thank you again for your feedback.
Highlighted
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies