Is there a secure way to provide you all logs? The only part I've sanitized from the request above is the subscription ID but I'm assuming this is a public forum so I'm hesitant to post explicit requests.
Azure Security Center List Alerts - empty results response that includes nextLink
Hello,
I'm making a call to list ASC alerts for a specific time range using the following REST API: https://learn.microsoft.com/en-us/rest/api/securitycenter/alerts/list
In the response I'm getting back a 'nextLink' attribute even though I'm not getting any results back which would be found in the 'value' attribute according to the following resource: https://learn.microsoft.com/en-us/rest/api/azure/
My initial call is GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2FReportedTimeUtc+ge+2020-10-05T17%3A39%3A21.752688Z+and+Properties%2FReportedTimeUtc+lt+2020-10-05T17%3A44%3A21.752688Z&api-version=2019-01-01
The 'value' attribute in the response is an empty list and the 'nextLink' value provides the URL for the next page of results:
GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2fReportedTimeUtc+ge+2020-10-05T17%3a35%3a52.127826Z+and+Properties%2fReportedTimeUtc+lt+2020-10-05T17%3a40%3a52.127826Z&api-version=2019-01-01&%24skiptoken=fY9di6MwFIb%2fi9C5KdYYv8ZCWWZK7XZodbCJWu%2fUpG2q0dSk049h%2fvu4sBe7LCwczsXh5TnP%2b6m19KbWrK2lNv3U5osQxS9rvNWm2lEpIaeGwYu2OFBOWzUpHpeeTqqOT23bMuSllFXPhGJdKw23IrbnUE%2f3bB%2fqdvns6j50TX1PAPCoX1HqWobouw9GaC8Nzqq%2bk91eTSStLj1Td6NoaK%2fkjxG096xRtJ%2b9950YTozKEdzHVHS9ogQxTrGqxgc6hgAC3QQ6cJDpjazCcoblwIkJvWfo5uOiJeP%2fMhr1D8MGfzGeCsH0j0F46DiDwPR1YA7zNEjKmgnU1bSd0ftblGdHgJfBnSwbUKT%2bZQsTZ3Xq2Ga7ANE8iErs9KiOT5tE4J0VR7RZmCitr5ugOeePt02yVA7iIiCBUDgjYbyMJTJJVAYCp1nH1vPfP7hv%2fcG2QhaERZPYCMSvBDhnnDUR5dJEZtyH2MfFI3lPTodHWscBrR2cZCTCjxeAUjOkixvGXOUFVyBNfrk1zuYnyTeNOKepOeT9bMuPg3utVuzKEE9sEsTHHb81iAcq367csk1kOb%2byZOiewwSgpX%2faZbEooc2i06uvfX19Aw%3d%3d
I've gotten back a response like the above with no results and a nextLink value as many as 80 times in a row before the response no longer contains a nextLink attribute.
If I widen the time window I can get an initial response that contains results along with a nextLink value. Eventually the paginated responses will return empty results but continue to return nextLink values tens of more times.
According to the documentation I should "continue sending requests to the nextLink URL until it no longer contains a URL in the returned results" but based on the behavior I'm seeing I should ignore nextLink if I don't get any results.
Is that a correct assumption? Am I missing something valuable if I don't continue to make 80 nextLink requests that return 0 results?