Azure REST API - $filter param for time delta throws ProviderError

Occasional Visitor

Hello All,

 

We are facing issues with the Azure API endpoint for fetching security alerts based on given time filter.

 

Azure API Documentation Link and screenshot for the API section,

azure api doc.png

 

We encountered the following error while hitting the endpoint with the required params and Bearer access token.

 

Error Details:

{

    "error": {

        "code": "ProviderError",

        "message": "Resource provider 'Microsoft.Security' failed to return collection response for type 'alerts'."

    }

}

 

Endpoint URL:

https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{ResourceGroup}/provider... eq '2019-07-06T08:00:51.8801218Z'

 

 

NOTE:

The URL gives response without specifying the time “filter” , but when using filter as one of the params, we get the above mentioned error.

 

The param value used:  $filter = properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z'

api doc filter param.png

 

Could anyone help in the resolution of this issue? Let me know for any additional details/clarifications. Thank You.

 

 

 

3 Replies

 

We are using the REST API to pull in Azure Security Center Alerts as well.    We use the reported time as a check point, but the API throws and error pulling the $filter parameter, therefore it pulls in all alerts every time.

 

This is costing us real money as it consumes our SEIM license, and creates redundant non-useable data on disk.

 

Just wanted to say me too.  :) 

 

@Annish_Prashanth 

 

I received an update from our dev that you will need to use the correct API version using the following supported query. Please review below and let us know if you have additional questions or concerns.

 

Update from dev:

This is how you write the query, this is supported:

https://management.azure.com/subscriptions/{Sub ID}/providers/Microsoft.Security/alerts/?api-version=2019-01-01&$filter=Properties/ReportedTimeUtc gt 2019-10-22T01:40:02.4275428Z

 

1) Properties/ReportedTimeUtc is case sensitive

2) Notice the use of a ‘/’ instead of ‘.’

@Annish_Prashanth 

1. u need use '/' instead of '.'

2. seems the $filter in alert response need uppercase letter. 

https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=20...$filter=Properties/AlertName eq 'Network_TrafficFromUnrecommendedIP' 

this works but if you change to 

https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=20...$filter=properties/alertName eq 'Network_TrafficFromUnrecommendedIP'

will failed. event the response json array is lower letter here. hope this will help you.

 

 

            "properties": {
                "vendorName": "Microsoft",
                "alertDisplayName": "Traffic detected from IP addresses recommended for blocking",
                "alertName": "Network_TrafficFromUnrecommendedIP",
                "detectedTimeUtc": "2020-04-01T08:00:00Z",