question

harshey avatar image
0 Votes"
harshey asked Harshey-1174 answered

Azure Sentinel Incidents List - REST API - Sometimes return incorrectly sorted records.

While using REST API endpoint mentioned on URL https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list
soemtimes we receive incorrectly ordered data.
e.g.
We have used following CURL command in postman app:

// Step 1 to get access token:
curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret= CLIENT_SECRET ' \
--data-urlencode 'resource=https://management.azure.com/'

//Step 2 CURL to retrieve list of incidents using access token in above command.
curl --location --request GET 'https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/soar-dev/providers/Microsoft.OperationalInsights/workspaces/soar-dev-workspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/lastModifiedTimeUtc%20ge%202021-05-31T00:00:00.123Z%20and%20properties/status%20ne%20%27Closed%27&$orderby=properties/lastModifiedTimeUtc%20asc&$top=40' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'


// The above CURL requests incidents where the lastModifiedTimeUTC is greater than provided timestamp in ASCENDING manner.


I have attached the sample response showing incorrectly sorted records. (Please check attachment section filename = incorrect-sort-order-sentinel.txt)

Proof/Evidence:

See the LINE numbers:
1178 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.8218463Z",)
1217 ( "lastModifiedTimeUtc": "2021-06-02T16:24:45.4702162Z",)
1256 ("lastModifiedTimeUtc": "2021-06-02T16:24:44.4977539Z",)

As you can see line 1217 has timestamp which is greater than the one in line #1256

This looks like a bug on Azure Sentinel REST API (List Incidents in this case)

Looking forward for the answer.
Also can anyone please tell me where I can file a bug officially with MS/Azure ?110296-incorrect-sort-order-sentinel.txt


microsoft-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@harshey Thanks for reaching out. Checking on this, will update soon.

0 Votes 0 ·

@harshey Can you get a support case open for this ? We can investigate it there. Thanks.

0 Votes 0 ·
Harshey-1174 avatar image
0 Votes"
Harshey-1174 answered vipulsparsh-MSFT commented

@vipulsparsh-MSFT where can I create a support case for the same issue ?
Please revert.
Looking forward for your reply.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Harshey-1174 Here's how you can open a support case.

117585-image.png

117559-image.png


0 Votes 0 ·
image.png (153.0 KiB)
image.png (90.4 KiB)
Harshey-1174 avatar image
0 Votes"
Harshey-1174 answered

Looks like I need to ask my subscription manager to create the support request for this technical issue.
Meanwhile is it possible for you to create the same ? (as you have already seen the issue in above description)
Please let me know.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.