Azure Sentinel Incidents List - REST API - Sometimes return incorrectly sorted records.

Harshey 1 Reputation point

While using REST API endpoint mentioned on URL
soemtimes we receive incorrectly ordered data.
We have used following CURL command in postman app:

// Step 1 to get access token:
curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret= CLIENT_SECRET ' \
--data-urlencode 'resource='

//Step 2 CURL to retrieve list of incidents using access token in above command.
curl --location --request GET '<SUBSCRIPTION_ID>/resourceGroups/soar-dev/providers/Microsoft.OperationalInsights/workspaces/soar-dev-workspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/lastModifiedTimeUtc%20ge%202021-05-31T00:00:00.123Z%20and%20properties/status%20ne%20%27Closed%27&$orderby=properties/lastModifiedTimeUtc%20asc&$top=40' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'

// The above CURL requests incidents where the lastModifiedTimeUTC is greater than provided timestamp in ASCENDING manner.
I have attached the sample response showing incorrectly sorted records. (Please check attachment section filename = incorrect-sort-order-sentinel.txt)


See the LINE numbers:
1178 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.8218463Z",)
1217 ( "lastModifiedTimeUtc": "2021-06-02T16:24:45.4702162Z",)
1256 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.4977539Z",)

As you can see line 1217 has timestamp which is greater than the one in line #1256

This looks like a bug on Azure Sentinel REST API (List Incidents in this case)

Looking forward for the answer.
Also can anyone please tell me where I can file a bug officially with MS/Azure ?110296-incorrect-sort-order-sentinel.txt

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,004 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Harshey 1 Reputation point

    @VipulSparsh-MSFT where can I create a support case for the same issue ?
    Please revert.
    Looking forward for your reply.

  2. Harshey 1 Reputation point

    Looks like I need to ask my subscription manager to create the support request for this technical issue.
    Meanwhile is it possible for you to create the same ? (as you have already seen the issue in above description)
    Please let me know.

    0 comments No comments