Problems with combining logical expressions in Sentinel Incident API $filter

Ewan Chalmers 6 Reputation points
2021-02-24T16:16:19.337+00:00

I am trying to make a $filter query using the List Incidents API (https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list).

I want to query for 'incidents updated since some timestamp'

To achieve this, I'm trying to combine two conditions

Incidents with last modified time after my target date, e.g.

properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z    

Incidents where created time is not the same as last modified time. (This is intended to exclude newly created Incidents from the results. I suspect this is NOT the right condition to achieve what I want; but that's another question.)

properties/lastModifiedTimeUtc ne properties/createdTimeUtc    

Those two queries both appear to work correctly on their own.

But when combined (with or without brackets), like this

(properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z)    

the query does not return expected results.

Specifically, it selects incidents where createdTime == lastModifiedTime

With curl, the full request looks like

curl 'https://management.azure.com/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.OperationalInsights/workspaces/xyz/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=(properties/lastModifiedTimeUtc%20ne%20properties/createdTimeUtc)%20and%20(properties/lastModifiedTimeUtc%20gt%202021-01-11T00:00:00Z)&$top=5'    

In the response, for example

        "lastModifiedTimeUtc": "2021-02-24T16:11:09.2251843Z",    
        "createdTimeUtc": "2021-02-24T16:11:09.2251843Z",    

Notice the timestamps are the same. Whereas the filter expression asked for them to be ne.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,026 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ewan Chalmers 6 Reputation points
    2021-03-05T11:11:35.45+00:00

    For info, we have found that

    We can successfully use the lt operator to compare createdTimeUtc and lastModifiedTimeUtc (whereas ne operator does not work correctly)

    We can make a 3 clause filter like this one, returning expected results. The filter expression can return error if clauses are not combined in an acceptable order (undefined in docs):

    properties/incidentNumber le 30141 and properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z and properties/createdTimeUtc lt  properties/lastModifiedTimeUtc
    
    1 person found this answer helpful.