Microsoft Sentinel API Odata filtering not working

Kristian Jacobsen 1 Reputation point
2022-07-26T20:47:38.57+00:00

Hi

When i try to use the OData 4.0 notation in the alertRules API ex:
GET https://management.azure.com/subscriptions/<sub>/resourcegroups/<rg>/providers/microsoft.operationalinsights/workspaces/alasentinel-dev-euw/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-10-01-preview&$filter=(properties/lastModifiedUtc gt 2022-06-09T16:06:49.2026471Z)

It seems to be returning all alertrules and not greater than the lastModifiedUtc (same happening with alertruletemplates).
I tried both with and without parentheses but it seems to be the same result.

Is there anything i am doing wrong, or does the API not support it yet? (As i know the Incident API does)

Best
Kristian

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,154 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alistair Ross 7,136 Reputation points Microsoft Employee
    2022-07-26T21:34:23.82+00:00

    Hi @Kristian Jacobsen

    The API Alert Rules - List does not support a filter parameter, for Odata filtering. This can also be seen in the preview versions of the API. You will need to return all the alert rules and then filter client side.

    kind regards

    Alistair Ross


  2. Kristian Jacobsen 1 Reputation point
    2022-07-26T21:56:28.327+00:00

    Thanks so much for a quick answer.

    Tested it with api-version 2021-10-01 (seems like the same).

    Do you know when the new version of the API is ready? (i.e. with techniques, versions etc.)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.