I am trying to make a $filter query using the List Incidents API (https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list).
I want to query for 'incidents updated since some timestamp'
To achieve this, I'm trying to combine two conditions
Incidents with last modified time after my target date, e.g.
properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z
Incidents where created time is not the same as last modified time. (This is intended to exclude newly created Incidents from the results. I suspect this is NOT the right condition to achieve what I want; but that's another question.)
properties/lastModifiedTimeUtc ne properties/createdTimeUtc
Those two queries both appear to work correctly on their own.
But when combined (with or without brackets), like this
(properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z)
the query does not return expected results.
Specifically, it selects incidents where createdTime == lastModifiedTime
With curl, the full request looks like
curl 'https://management.azure.com/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.OperationalInsights/workspaces/xyz/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=(properties/lastModifiedTimeUtc%20ne%20properties/createdTimeUtc)%20and%20(properties/lastModifiedTimeUtc%20gt%202021-01-11T00:00:00Z)&$top=5'
In the response, for example
"lastModifiedTimeUtc": "2021-02-24T16:11:09.2251843Z",
"createdTimeUtc": "2021-02-24T16:11:09.2251843Z",
Notice the timestamps are the same. Whereas the filter expression asked for them to be ne.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEC%3C/text%3E%3C/svg%3E)
