@VipulSparsh-MSFT where can I create a support case for the same issue ?
Please revert.
Looking forward for your reply.
Azure Sentinel Incidents List - REST API - Sometimes return incorrectly sorted records.
While using REST API endpoint mentioned on URL https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list
soemtimes we receive incorrectly ordered data.
e.g.
We have used following CURL command in postman app:
// Step 1 to get access token:
curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret= CLIENT_SECRET ' \
--data-urlencode 'resource=https://management.azure.com/'
//Step 2 CURL to retrieve list of incidents using access token in above command.
curl --location --request GET 'https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/soar-dev/providers/Microsoft.OperationalInsights/workspaces/soar-dev-workspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/lastModifiedTimeUtc%20ge%202021-05-31T00:00:00.123Z%20and%20properties/status%20ne%20%27Closed%27&$orderby=properties/lastModifiedTimeUtc%20asc&$top=40' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'
// The above CURL requests incidents where the lastModifiedTimeUTC is greater than provided timestamp in ASCENDING manner.
--
I have attached the sample response showing incorrectly sorted records. (Please check attachment section filename = incorrect-sort-order-sentinel.txt)
Proof/Evidence:
See the LINE numbers:
1178 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.8218463Z",)
1217 ( "lastModifiedTimeUtc": "2021-06-02T16:24:45.4702162Z",)
1256 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.4977539Z",)
As you can see line 1217 has timestamp which is greater than the one in line #1256
This looks like a bug on Azure Sentinel REST API (List Incidents in this case)
Looking forward for the answer.
Also can anyone please tell me where I can file a bug officially with MS/Azure ?110296-incorrect-sort-order-sentinel.txt
2 answers
Sort by: Most helpful
-
Harshey 1 Reputation point
2021-07-23T11:54:59.41+00:00 -
Harshey 1 Reputation point
2021-07-27T07:04:19.04+00:00 Looks like I need to ask my subscription manager to create the support request for this technical issue.
Meanwhile is it possible for you to create the same ? (as you have already seen the issue in above description)
Please let me know.