Jul 10 2019 10:22 AM
Hello All,
We are facing issues with the Azure API endpoint for fetching security alerts based on given time filter.
Azure API Documentation Link and screenshot for the API section,
We encountered the following error while hitting the endpoint with the required params and Bearer access token.
Error Details:
{
"error": {
"code": "ProviderError",
"message": "Resource provider 'Microsoft.Security' failed to return collection response for type 'alerts'."
}
}
Endpoint URL:
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{ResourceGroup}/provider... eq '2019-07-06T08:00:51.8801218Z'
NOTE:
The URL gives response without specifying the time “filter” , but when using filter as one of the params, we get the above mentioned error.
The param value used: $filter = properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z'
Could anyone help in the resolution of this issue? Let me know for any additional details/clarifications. Thank You.
Oct 10 2019 04:46 AM - edited Oct 10 2019 04:49 AM
We are using the REST API to pull in Azure Security Center Alerts as well. We use the reported time as a check point, but the API throws and error pulling the $filter parameter, therefore it pulls in all alerts every time.
This is costing us real money as it consumes our SEIM license, and creates redundant non-useable data on disk.
Just wanted to say me too. 🙂
Oct 28 2019 12:32 PM
I received an update from our dev that you will need to use the correct API version using the following supported query. Please review below and let us know if you have additional questions or concerns.
Update from dev:
This is how you write the query, this is supported:
https://management.azure.com/subscriptions/{Sub ID}/providers/Microsoft.Security/alerts/?api-version=2019-01-01&$filter=Properties/ReportedTimeUtc gt 2019-10-22T01:40:02.4275428Z
1) Properties/ReportedTimeUtc is case sensitive
2) Notice the use of a ‘/’ instead of ‘.’
Apr 13 2020 10:47 PM
1. u need use '/' instead of '.'
2. seems the $filter in alert response need uppercase letter.
https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=20...$filter=Properties/AlertName eq 'Network_TrafficFromUnrecommendedIP'
this works but if you change to
https://management.azure.com/subscriptions/******/providers/Microsoft.Security/alerts?api-version=20...$filter=properties/alertName eq 'Network_TrafficFromUnrecommendedIP'
will failed. event the response json array is lower letter here. hope this will help you.
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Traffic detected from IP addresses recommended for blocking",
"alertName": "Network_TrafficFromUnrecommendedIP",
"detectedTimeUtc": "2020-04-01T08:00:00Z",