Share via

Issue with createdDateTime Timestamps of security/events

Fenris Technologies 0 Reputation points
2024-12-04T17:07:41.5+00:00

Hi there,

I use MS_Graph API services to retrieve security/alerts events and integrate them into my SIEM.

However, I sometimes have problems with the tomestamps displayed in the createdDateTime.

For example, I received an alert with “createdDateTime”: “2024-12-02T10:30:00Z” only my script, which runs every 5 minutes to retrieve events, didn't find it.

So I did a search with a larger time range and no problem.

Digging deeper, I realized that as soon as I set a filter with a timestamp lower than /v1.0/security/alerts?$filter=createdDateTime+ge+2024-12-02T10:16:00Z then I found my alert, but as soon as the filter is greater than or equal to /v1.0/security/alerts?$filter=createdDateTime+ge+2024-12-02T10:17:00Z then I no longer see the alert.

So I tried a low or equal rather than a greater than or equal, and now I see that if I put a filter /v1.0/security/alerts?$filter=createdDateTime+le+2024-12-02T10:17:59Z I manage to otebnir my alert even though I'm technically looking for an alert on a time range of 12 minutes less than the time announced by MS-Graph in the JSON returned by the alert in question.

This is not the first time I've experienced this kind of problem.

I don't understand how this is technically possible, and it's causing me serious problems for the smooth running of my SIEM, which is a service I sell to my customers, with very tight response and handling times.

Have you ever had this kind of problem reported to you, and do you have any suggestions or solutions?

Thank you in advance for your help.

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kelley, Hugh 1 Reputation point
    2026-03-14T15:34:39.4633333+00:00

    I’m not sure if I’ve seen this exact issue before, but I have had a few alerts that seemed to fall into the black hole you are describing. One of the things that I’ve always found a little mysterious is the pipeline from the various feeder Microsoft systems that ultimately land in XDR/Security Alerts API. I’ve always wondered if the created date is the time it was created in the source system, e.g. Defender, or the time it was created in the Graph API list. I’ve also wondered if there is a separate timestamp used for that filter. All idle speculation….. Potentially related discussion here:

    https://learn.microsoft.com/en-us/answers/questions/1192952/graph-api-event-availability-latency

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.