Jul 24 2019 11:45 PM
Is it possible to retrieve alerts for a certain date?
My script gets a lot of alerts (for example 'Anonymous IP address' alerts), so I want to limit the amount of data.
I tested the filtering using the Graph Explorer: (https://developer.microsoft.com/en-us/graph/graph-explorer)
Example 1) https://graph.microsoft.com/v1.0/security/alerts?$filter=Severity eq 'High'
This is working fine; the returned data is limited to High severity alerts.
Example 2) I changed #1 to https://graph.microsoft.com/v1.0/security/alerts?$filter=eventDateTime eq '2019-07-20T15:58:31Z'
In know that there is an item in the example data set that should match, but the query failed (Invalid filter clause).
So I am looking for another way to get the most recent alert (of just today or date range), for example with something like a sort of 'like' operator: $filter=eventDateTime like '2019-07-23'
Ofcource I can filter afterwards, but retrieving less data would better to speed up the processing of the alerts.
Any suggestions?
Thanks.
Jul 26 2019 02:51 PM - edited Jul 26 2019 02:52 PM
Hi @Martijn Wenke,
In order to get the most recent alert, you can use the $top query. For example, https://graph.microsoft.com/v1.0/security/alerts?$top=10 will return 10 of the most recent alerts from each security provider that you have in your Azure AD tenant.
If you would like to filter alerts using a DateTime range, there are a few example queries that show how to do so here: https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries
I would recommend reading the Microsoft Graph documentation regarding OData queries. https://docs.microsoft.com/graph/query-parameters
Jul 30 2019 02:32 AM
@Edward Koval Thanks for the reply.
I tried to filter in the Graph explorer and it worked with a filter like this: /security/alerts?$filter=createdDateTime gt 2019-04-01T00:00:00.000Z and createdDateTime lt 2019-05-05T00:00:00.000Z
I implemented in in my Powershell script and export the results to a CSV to get an impression about the data that is retrieved. It looks like there are records with a createdDateTime that should not be in the results.
Example code:
$TodayYMD = Get-Date -format "yyyy-MM-dd"
$Temp = (Get-date).AddDays(-1)
$YesterdayYMD = Get-Date $Temp -Format "yyyy-MM-dd"
$Temp = (Get-date).AddDays(1)
$TomorrowYMD = Get-Date $Temp -Format "yyyy-MM-dd"
(...)
# Retrieve just the alerts that are in a certain time frame
[uri]$uriGraphEndpoint = "https://graph.microsoft.com/v1.0/security/alerts?`$filter=createdDateTime%20gt%20" + $YesterdayYMD + "T00:00:00.000Z%20and%20createdDateTime%20lt%20" + $TomorrowYMD + "T00:00:00.000Z"
Paging is used in the script but there was just one page with data available (213 items)
In the stored data there are creation dates (createdDateTime) like:
During execution the URL looks like: https://graph.microsoft.com/v1.0/security/alerts?$filter=createdDateTime gt 2019-07-29T00:00:00.000Z and createdDateTime lt 2019-07-31T00:00:00.000Z
So I still need to create a subset of the data:
$subset = $response.value | Where-Object {($_.createdDateTime -like "*$TodayYMD*") -or ($_.createdDateTime -like "*$YesterdayYMD*")} | Sort-Object createdDateTime
Any suggestions?
Jul 30 2019 11:39 AM
I would double check the API request that is made to Microsoft Graph to make sure it matches your query in Graph Explorer. Using the $filter query parameter should return the subset of alerts between your time range. If you continue to run into this issue, please send me a direct message with the request id and your Azure tenant id.
Aug 01 2019 03:48 AM
@Edward KovalI did some checks and got the same result in the Graph Explorer. I did send you a personal message.