question

EwanChalmers-6599 avatar image
0 Votes"
EwanChalmers-6599 asked ·

Problems with combining logical expressions in Sentinel Incident API $filter

I am trying to make a $filter query using the List Incidents API (https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list).

I want to query for 'incidents updated since some timestamp'

To achieve this, I'm trying to combine two conditions

Incidents with last modified time after my target date, e.g.

 properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z  

Incidents where created time is not the same as last modified time. (This is intended to exclude newly created Incidents from the results. I suspect this is NOT the right condition to achieve what I want; but that's another question.)

 properties/lastModifiedTimeUtc ne properties/createdTimeUtc  

Those two queries both appear to work correctly on their own.

But when combined (with or without brackets), like this

 (properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z)  

the query does not return expected results.

Specifically, it selects incidents where createdTime == lastModifiedTime


With curl, the full request looks like

 curl 'https://management.azure.com/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.OperationalInsights/workspaces/xyz/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=(properties/lastModifiedTimeUtc%20ne%20properties/createdTimeUtc)%20and%20(properties/lastModifiedTimeUtc%20gt%202021-01-11T00:00:00Z)&$top=5'  

In the response, for example

         "lastModifiedTimeUtc": "2021-02-24T16:11:09.2251843Z",  
         "createdTimeUtc": "2021-02-24T16:11:09.2251843Z",  

Notice the timestamps are the same. Whereas the filter expression asked for them to be ne.

azure-sentinel
· 4
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EwanChalmers-6599
Thank you for the detailed post!

Have you tried something like:

     #Adding more parenthesis around the filter
      'https://management.azure.com......Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=((properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z))&$top=5'

    #I'm not sure if this one will work but I'm selecting createdTime and lastModifiedTime, then filtering by lastModified
      'https://management.azure.com.....Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$select=createdTime,lastModifiedTimeUtc&$filter=(properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z))&$top=5'


If you're still having issues with this REST API call and would like to work with our support engineers to get this issue resolved, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

@JamesTran-MSFT Thanks

The first suggestion (extra parentheses) does not change the result

((properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00.000Z))

... returns 5 incidents where createdTime == lastModified time, e.g.

 "lastModifiedTimeUtc": "2021-03-02T13:06:08.4323042Z",
 "createdTimeUtc": "2021-03-02T13:06:08.4323042Z"

I don't think that https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list supports $select. Including $select with any value that I tried results in HTTP 500. Anyway, I think that if this did work it would be limiting the data items returned, which is not what I want.

0 Votes 0 ·

Regarding strange behavior of logic conditions, I have also noted


properties/additionalData/alertsCount

  • cannot check equality, inequality, etc

  • e.g. $filter=properties/additionalData/alertsCount gt 1 returned incidents include ones with alertsCount of 0

properties/firstActivityTimeGenerated eq properties/lastActivityTimeGenerated

  • does not work







0 Votes 0 ·

@EwanChalmers-6599
Thank you for the quick and detailed response!

I've reached out to our Azure Sentinel team to see if anyone from their side can provide insights on your issue, and will update as soon as possible. In the meantime, I'd recommend reaching out to our Azure Sentinel Tech Community since a lot of our experts answer questions within that forum as well.

Azure Sentinel Resources


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

1 Answer

EwanChalmers-6599 avatar image
1 Vote"
EwanChalmers-6599 answered ·

For info, we have found that

We can successfully use the lt operator to compare createdTimeUtc and lastModifiedTimeUtc (whereas ne operator does not work correctly)

We can make a 3 clause filter like this one, returning expected results. The filter expression can return error if clauses are not combined in an acceptable order (undefined in docs):

properties/incidentNumber le 30141 and properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z and properties/createdTimeUtc lt  properties/lastModifiedTimeUtc
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EwanChalmers-6599
Thank you for the follow up and for providing your solution so that others experiencing the same issue can easily find this!


If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·