This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 95%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
While using REST API endpoint mentioned on URL https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list
soemtimes we receive incorrectly ordered data.
e.g.
We have used following CURL command in postman app:
// Step 1 to get access token:
curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret= CLIENT_SECRET ' \
--data-urlencode 'resource=https://management.azure.com/'
//Step 2 CURL to retrieve list of incidents using access token in above command.
curl --location --request GET 'https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/soar-dev/providers/Microsoft.OperationalInsights/workspaces/soar-dev-workspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/lastModifiedTimeUtc%20ge%202021-05-31T00:00:00.123Z%20and%20properties/status%20ne%20%27Closed%27&$orderby=properties/lastModifiedTimeUtc%20asc&$top=40' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'
// The above CURL requests incidents where the lastModifiedTimeUTC is greater than provided timestamp in ASCENDING manner.
--
I have attached the sample response showing incorrectly sorted records. (Please check attachment section filename = incorrect-sort-order-sentinel.txt)
Proof/Evidence:
See the LINE numbers:
1178 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.8218463Z",)
1217 ( "lastModifiedTimeUtc": "2021-06-02T16:24:45.4702162Z",)
1256 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.4977539Z",)
As you can see line 1217 has timestamp which is greater than the one in line #1256
This looks like a bug on Azure Sentinel REST API (List Incidents in this case)
Looking forward for the answer.
Also can anyone please tell me where I can file a bug officially with MS/Azure ?110296-incorrect-sort-order-sentinel.txt
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Harshey Thanks for reaching out. Checking on this, will update soon.
@Harshey Can you get a support case open for this ? We can investigate it there. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 41%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
@VipulSparsh-MSFT where can I create a support case for the same issue ?
Please revert.
Looking forward for your reply.
Looks like I need to ask my subscription manager to create the support request for this technical issue.
Meanwhile is it possible for you to create the same ? (as you have already seen the issue in above description)
Please let me know.
