I am trying to make a $filter query using the List Incidents API (https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list).
I want to query for 'incidents updated since some timestamp'
To achieve this, I'm trying to combine two conditions
Incidents with last modified time after my target date, e.g.
properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z
Incidents where created time is not the same as last modified time. (This is intended to exclude newly created Incidents from the results. I suspect this is NOT the right condition to achieve what I want; but that's another question.)
properties/lastModifiedTimeUtc ne properties/createdTimeUtc
Those two queries both appear to work correctly on their own.
But when combined (with or without brackets), like this
(properties/lastModifiedTimeUtc ne properties/createdTimeUtc) and (properties/lastModifiedTimeUtc gt 2021-01-11T00:00:00Z)
the query does not return expected results.
Specifically, it selects incidents where createdTime == lastModifiedTime
With curl, the full request looks like
In the response, for example
"lastModifiedTimeUtc": "2021-02-24T16:11:09.2251843Z", "createdTimeUtc": "2021-02-24T16:11:09.2251843Z",
Notice the timestamps are the same. Whereas the filter expression asked for them to be