Legacy and v2 List Alerts Endpoints Return Different Results When Using createdDateTime Filter

GA-4357 10 Reputation points
2023-09-13T20:12:06.96+00:00

I am querying the Microsoft Graph security API for alerts created in the last 4 hrs. When I query the legacy API endpoint with:

https://graph.microsoft.com/v1.0/security/alerts?$filter=createdDateTime ge 2023-09-13T16:05:00Z

the expected alerts are returned.

However, when I query the new List alerts_v2 endpoint with:

https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime ge 2023-09-13T16:05:00Z

only a subset of the alerts are returned, with the IPC provider alerts notably being absent.

The List alerts_v2 documentation (https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) states that createdDateTime is a supported query parameter.

We would like to use the new List alerts_v2 endpoint but cannot do so if it only returns a subset of the alerts. I did not see this issue mentioned under the "Microsoft Graph Known Issues" page (https://developer.microsoft.com/en-us/graph/known-issues/?search=).

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,891 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.