I am trying to make a $filter query using the List Incidents API (https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list).
I want to query for 'incidents updated since some timestamp'
To achieve this, I'm trying to combine two conditions
Incidents with last modified time after my target date, e.g.
properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z
Incidents where created time is not the same as last modified time. (This is intended to exclude newly created Incidents from the results. I suspect this is NOT the right condition to achieve what I want; but that's another question.)
properties/lastModifiedTimeUtc ne properties/createdTimeUtc
Those two queries both appear to work correctly on their own.
But when combined (with or without brackets), like this
(properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z)
the query does not return expected results.
Specifically, it selects incidents where createdTime == lastModifiedTime
With curl, the full request looks like
curl 'https://management.azure.com/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.OperationalInsights/workspaces/xyz/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=(properties/lastModifiedTimeUtc%20ne%20properties/createdTimeUtc)%20and%20(properties/lastModifiedTimeUtc%20gt%202021-01-11T00:00:00Z)&$top=5'
In the response, for example
"lastModifiedTimeUtc": "2021-02-24T16:11:09.2251843Z",
"createdTimeUtc": "2021-02-24T16:11:09.2251843Z",
Notice the timestamps are the same. Whereas the filter expression asked for them to be ne
.