Azure Security Center List Alerts - empty results response that includes nextLink

Matthew Kracht 21 Reputation points
2020-10-05T17:52:13.85+00:00

Hello,

I'm making a call to list ASC alerts for a specific time range using the following REST API: https://learn.microsoft.com/en-us/rest/api/securitycenter/alerts/list

In the response I'm getting back a 'nextLink' attribute even though I'm not getting any results back which would be found in the 'value' attribute according to the following resource: https://learn.microsoft.com/en-us/rest/api/azure/

My initial call is GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2FReportedTimeUtc+ge+2020-10-05T17%3A39%3A21.752688Z+and+Properties%2FReportedTimeUtc+lt+2020-10-05T17%3A44%3A21.752688Z&api-version=2019-01-01

The 'value' attribute in the response is an empty list and the 'nextLink' value provides the URL for the next page of results:
GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/microsoft.security/alerts?%24filter=Properties%2fReportedTimeUtc+ge+2020-10-05T17%3a35%3a52.127826Z+and+Properties%2fReportedTimeUtc+lt+2020-10-05T17%3a40%3a52.127826Z&api-version=2019-01-01&%24skiptoken=fY9di6MwFIb%2fi9C5KdYYv8ZCWWZK7XZodbCJWu%2fUpG2q0dSk049h%2fvu4sBe7LCwczsXh5TnP%2b6m19KbWrK2lNv3U5osQxS9rvNWm2lEpIaeGwYu2OFBOWzUpHpeeTqqOT23bMuSllFXPhGJdKw23IrbnUE%2f3bB%2fqdvns6j50TX1PAPCoX1HqWobouw9GaC8Nzqq%2bk91eTSStLj1Td6NoaK%2fkjxG096xRtJ%2b9950YTozKEdzHVHS9ogQxTrGqxgc6hgAC3QQ6cJDpjazCcoblwIkJvWfo5uOiJeP%2fMhr1D8MGfzGeCsH0j0F46DiDwPR1YA7zNEjKmgnU1bSd0ftblGdHgJfBnSwbUKT%2bZQsTZ3Xq2Ga7ANE8iErs9KiOT5tE4J0VR7RZmCitr5ugOeePt02yVA7iIiCBUDgjYbyMJTJJVAYCp1nH1vPfP7hv%2fcG2QhaERZPYCMSvBDhnnDUR5dJEZtyH2MfFI3lPTodHWscBrR2cZCTCjxeAUjOkixvGXOUFVyBNfrk1zuYnyTeNOKepOeT9bMuPg3utVuzKEE9sEsTHHb81iAcq367csk1kOb%2byZOiewwSgpX%2faZbEooc2i06uvfX19Aw%3d%3d

I've gotten back a response like the above with no results and a nextLink value as many as 80 times in a row before the response no longer contains a nextLink attribute.

If I widen the time window I can get an initial response that contains results along with a nextLink value. Eventually the paginated responses will return empty results but continue to return nextLink values tens of more times.

According to the documentation I should "continue sending requests to the nextLink URL until it no longer contains a URL in the returned results" but based on the behavior I'm seeing I should ignore nextLink if I don't get any results.

Is that a correct assumption? Am I missing something valuable if I don't continue to make 80 nextLink requests that return 0 results?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,434 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Matthew Kracht 21 Reputation points
    2020-10-06T15:55:54.573+00:00

    Is there a secure way to provide you all logs? The only part I've sanitized from the request above is the subscription ID but I'm assuming this is a public forum so I'm hesitant to post explicit requests.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.