Legacy and v2 List Alerts Endpoints Return Different Results When Using createdDateTime Filter

GA-4357 0 Reputation points
2023-09-13T20:12:06.96+00:00

I am querying the Microsoft Graph security API for alerts created in the last 4 hrs. When I query the legacy API endpoint with:

https://graph.microsoft.com/v1.0/security/alerts?$filter=createdDateTime ge 2023-09-13T16:05:00Z

the expected alerts are returned.

However, when I query the new List alerts_v2 endpoint with:

https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime ge 2023-09-13T16:05:00Z

only a subset of the alerts are returned, with the IPC provider alerts notably being absent.

The List alerts_v2 documentation (https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) states that createdDateTime is a supported query parameter.

We would like to use the new List alerts_v2 endpoint but cannot do so if it only returns a subset of the alerts. I did not see this issue mentioned under the "Microsoft Graph Known Issues" page (https://developer.microsoft.com/en-us/graph/known-issues/?search=).

Microsoft Graph Security API
Microsoft Graph Security API
A Microsoft API that provides a unified interface to connect security solutions from multiple Microsoft and third-party providers.
155 questions
{count} votes