SOLVED
Home

Is there a bug in filtering by severity?

%3CLINGO-SUB%20id%3D%22lingo-sub-251301%22%20slang%3D%22en-US%22%3EIs%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251301%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20sample%20works%20(using%20fake%20data)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3Ffilter%3DSeverity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3Ffilter%3DSeverity%3C%2FA%3E%20eq%20'High'%26amp%3B%24top%3D5%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20if%20I%20use%20the%20same%20call%20with%20a%20bearer%20token%2C%20it%20returns%20-%26gt%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22%40odata.context%22%3A%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2F%24metadata%23Security%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2F%24metadata%23Security%2Falerts%3C%2FA%3E%22%2C%3CBR%20%2F%3E%22value%22%3A%20%5B%5D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E(same%20for%20Medium%2C%20Low%20and%20just%20in%20case%2C%20tried%20high%2C%20medium%20and%20low)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20make%20up%20a%20severity%20name%2C%20it%20returns%20-%26gt%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22BadRequest%22%2C%3CBR%20%2F%3E%22message%22%3A%20%22Invalid%20filter%20clause%22%2C%3CBR%20%2F%3E%22innerError%22%3A%20%7B%3CBR%20%2F%3E%22request-id%22%3A%20%2220fbaaca-8f2c-4c86-9d2c-f990ca3cfe86%22%2C%3CBR%20%2F%3E%22date%22%3A%20%222018-09-11T15%3A47%3A23%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20thinking%20it%20is%20a%20bug%20...%20does%20filtering%20by%20severity%20work%20for%20anyone%20else%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253649%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253649%22%20slang%3D%22en-US%22%3E%3CP%3EWorks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253585%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253585%22%20slang%3D%22en-US%22%3ECreighton%2C%20we%20have%20resolved%20the%20bug%20that%20surfaced%20due%20to%20the%20recent%20Alert%20Schema%20update.%20Please%20verify%20that%20it%20now%20works%20correctly.%20Thank%20you%20again%20for%20your%20feedback.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252443%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252443%22%20slang%3D%22en-US%22%3EThank%20you%20for%20your%20feedback.%20A%20bug%20report%20has%20been%20filed%2C%20and%20the%20team%20is%20investigating%20the%20root%20cause%20of%20this%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251847%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251847%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20...%20the%20alerts%20work%20if%20I%20remove%20the%20filter%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20add%20other%20arguments%20like%26nbsp%3B%20%26nbsp%3B%3F%24orderby%3DeventDateTime%2Bdesc%26nbsp%3B%20and%20it%20works%20as%20expected%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20returns%20%5B%5D%20when%20filtering%20by%20severity%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251834%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20bug%20in%20filtering%20by%20severity%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251834%22%20slang%3D%22en-US%22%3ECreighton%2C%20when%20using%20your%20bearer%20token%20are%20you%20getting%20alerts%20back%20without%20filter%3F%20i.e.%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2Falerts%3C%2FA%3E%3C%2FLINGO-BODY%3E
Creighton Medley
New Contributor

The sample works (using fake data)

https://graph.microsoft.com/beta/security/alerts?filter=Severity eq 'High'&$top=5

 

But if I use the same call with a bearer token, it returns ->

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
"value": []
}

(same for Medium, Low and just in case, tried high, medium and low)

 

If I make up a severity name, it returns ->

{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"request-id": "20fbaaca-8f2c-4c86-9d2c-f990ca3cfe86",
"date": "2018-09-11T15:47:23"
}
}
}

 

So I'm thinking it is a bug ... does filtering by severity work for anyone else?  

5 Replies
Creighton, when using your bearer token are you getting alerts back without filter? i.e. https://graph.microsoft.com/beta/security/alerts

Yes ... the alerts work if I remove the filter

 

I can add other arguments like   ?$orderby=eventDateTime+desc  and it works as expected 

 

Just returns [] when filtering by severity 

Thank you for your feedback. A bug report has been filed, and the team is investigating the root cause of this issue.
Solution
Creighton, we have resolved the bug that surfaced due to the recent Alert Schema update. Please verify that it now works correctly. Thank you again for your feedback.
Highlighted