Azure Security Center List Alerts - empty results response that includes nextLink

Matthew Kracht 21 Reputation points
2020-10-05T17:52:13.85+00:00

Hello,

I'm making a call to list ASC alerts for a specific time range using the following REST API: https://learn.microsoft.com/en-us/rest/api/securitycenter/alerts/list

In the response I'm getting back a 'nextLink' attribute even though I'm not getting any results back which would be found in the 'value' attribute according to the following resource: https://learn.microsoft.com/en-us/rest/api/azure/

My initial call is GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2FReportedTimeUtc+ge+2020-10-05T17%3A39%3A21.752688Z+and+Properties%2FReportedTimeUtc+lt+2020-10-05T17%3A44%3A21.752688Z&api-version=2019-01-01

The 'value' attribute in the response is an empty list and the 'nextLink' value provides the URL for the next page of results:
GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2fReportedTimeUtc+ge+2020-10-05T17%3a35%3a52.127826Z+and+Properties%2fReportedTimeUtc+lt+2020-10-05T17%3a40%3a52.127826Z&api-version=2019-01-01&%24skiptoken=fY9di6MwFIb%2fi9C5KdYYv8ZCWWZK7XZodbCJWu%2fUpG2q0dSk049h%2fvu4sBe7LCwczsXh5TnP%2b6m19KbWrK2lNv3U5osQxS9rvNWm2lEpIaeGwYu2OFBOWzUpHpeeTqqOT23bMuSllFXPhGJdKw23IrbnUE%2f3bB%2fqdvns6j50TX1PAPCoX1HqWobouw9GaC8Nzqq%2bk91eTSStLj1Td6NoaK%2fkjxG096xRtJ%2b9950YTozKEdzHVHS9ogQxTrGqxgc6hgAC3QQ6cJDpjazCcoblwIkJvWfo5uOiJeP%2fMhr1D8MGfzGeCsH0j0F46DiDwPR1YA7zNEjKmgnU1bSd0ftblGdHgJfBnSwbUKT%2bZQsTZ3Xq2Ga7ANE8iErs9KiOT5tE4J0VR7RZmCitr5ugOeePt02yVA7iIiCBUDgjYbyMJTJJVAYCp1nH1vPfP7hv%2fcG2QhaERZPYCMSvBDhnnDUR5dJEZtyH2MfFI3lPTodHWscBrR2cZCTCjxeAUjOkixvGXOUFVyBNfrk1zuYnyTeNOKepOeT9bMuPg3utVuzKEE9sEsTHHb81iAcq367csk1kOb%2byZOiewwSgpX%2faZbEooc2i06uvfX19Aw%3d%3d

I've gotten back a response like the above with no results and a nextLink value as many as 80 times in a row before the response no longer contains a nextLink attribute.

If I widen the time window I can get an initial response that contains results along with a nextLink value. Eventually the paginated responses will return empty results but continue to return nextLink values tens of more times.

According to the documentation I should "continue sending requests to the nextLink URL until it no longer contains a URL in the returned results" but based on the behavior I'm seeing I should ignore nextLink if I don't get any results.

Is that a correct assumption? Am I missing something valuable if I don't continue to make 80 nextLink requests that return 0 results?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,123 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Matthew Kracht 21 Reputation points
    2020-10-06T15:55:54.573+00:00

    Is there a secure way to provide you all logs? The only part I've sanitized from the request above is the subscription ID but I'm assuming this is a public forum so I'm hesitant to post explicit requests.