Alerts Suppression Rules - Update

參考

服務:: Defender for Cloud

API 版本:: 2019-01-01-preview

如果現有規則不存在，請更新或建立新規則

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}?api-version=2019-01-01-preview

URI 參數

名稱位於必要類型 Description

名稱	位於	必要	類型	Description
alertsSuppressionRuleName	path	True	string	隱藏警示規則的唯一名稱
subscriptionId	path	True	string	Azure 訂用帳戶標識碼 Regex 模式: `^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$`
api-version	query	True	string	作業的 API 版本

alertsSuppressionRuleName

path

True

string

隱藏警示規則的唯一名稱

subscriptionId

path

True

string

Azure 訂用帳戶標識碼

Regex 模式: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version

query

True

string

作業的 API 版本

要求本文

名稱	必要	類型	Description
properties.alertType	True	string	要自動隱藏的警示類型。針對所有警示類型，請使用 '*'
properties.reason	True	string	關閉警示的原因
properties.state	True	RuleState	規則的可能狀態
properties.comment		string	任何有關規則的批注
properties.expirationDateUtc		string	規則的到期日，如果未提供值或提供為 null，則完全不會到期
properties.suppressionAlertsScope		SuppressionAlertsScope	歸併條件

回應

名稱	類型	Description
200 OK	AlertsSuppressionRule	還行
Other Status Codes	CloudError	描述作業失敗原因的錯誤回應。

安全性

azure_auth

Azure Active Directory OAuth2 Flow

類型: oauth2
Flow: implicit
授權 URL: https://login.microsoftonline.com/common/oauth2/authorize

範圍

名稱	Description
user_impersonation	模擬您的用戶帳戶

範例

Update or create suppression rule for subscription

範例要求

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts?api-version=2019-01-01-preview

{
  "properties": {
    "alertType": "IpAnomaly",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}


import com.azure.core.management.serializer.SerializerFactory;
import com.azure.core.util.serializer.SerializerEncoding;
import com.azure.resourcemanager.security.fluent.models.AlertsSuppressionRuleInner;
import com.azure.resourcemanager.security.models.RuleState;
import com.azure.resourcemanager.security.models.ScopeElement;
import com.azure.resourcemanager.security.models.SuppressionAlertsScope;
import java.io.IOException;
import java.time.OffsetDateTime;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/**
 * Samples for AlertsSuppressionRules Update.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/
     * AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
     */
    /**
     * Sample code: Update or create suppression rule for subscription.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void updateOrCreateSuppressionRuleForSubscription(
        com.azure.resourcemanager.security.SecurityManager manager) throws IOException {
        manager.alertsSuppressionRules().updateWithResponse("dismissIpAnomalyAlerts",
            new AlertsSuppressionRuleInner().withAlertType("IpAnomaly")
                .withExpirationDateUtc(OffsetDateTime.parse("2019-12-01T19:50:47.083633Z")).withReason("FalsePositive")
                .withState(RuleState.ENABLED).withComment("Test VM")
                .withSuppressionAlertsScope(new SuppressionAlertsScope().withAllOf(Arrays.asList(
                    new ScopeElement().withField("entities.ip.address")
                        .withAdditionalProperties(mapOf("in",
                            SerializerFactory.createDefaultManagementSerializerAdapter().deserialize(
                                "[\"104.215.95.187\",\"52.164.206.56\"]", Object.class, SerializerEncoding.JSON))),
                    new ScopeElement().withField("entities.process.commandline")
                        .withAdditionalProperties(mapOf("contains", "POWERSHELL.EXE"))))),
            com.azure.core.util.Context.NONE);
    }

    // Use "Map.of" if available
    @SuppressWarnings("unchecked")
    private static <T> Map<String, T> mapOf(Object... inputs) {
        Map<String, T> map = new HashMap<>();
        for (int i = 0; i < inputs.length; i += 2) {
            String key = (String) inputs[i];
            T value = (T) inputs[i + 1];
            map.put(key, value);
        }
        return map;
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armsecurity_test

import (
	"context"
	"log"

	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
func ExampleAlertsSuppressionRulesClient_Update() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAlertsSuppressionRulesClient().Update(ctx, "dismissIpAnomalyAlerts", armsecurity.AlertsSuppressionRule{
		Properties: &armsecurity.AlertsSuppressionRuleProperties{
			AlertType:         to.Ptr("IpAnomaly"),
			Comment:           to.Ptr("Test VM"),
			ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t }()),
			Reason:            to.Ptr("FalsePositive"),
			State:             to.Ptr(armsecurity.RuleStateEnabled),
			SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
				AllOf: []*armsecurity.ScopeElement{
					{
						AdditionalProperties: map[string]any{
							"in": []any{
								"104.215.95.187",
								"52.164.206.56",
							},
						},
						Field: to.Ptr("entities.ip.address"),
					},
					{
						AdditionalProperties: map[string]any{
							"contains": "POWERSHELL.EXE",
						},
						Field: to.Ptr("entities.process.commandline"),
					}},
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.AlertsSuppressionRule = armsecurity.AlertsSuppressionRule{
	// 	Name: to.Ptr("dismissIpAnomalyAlerts"),
	// 	Type: to.Ptr("Microsoft.Security/alertsSuppressionRules"),
	// 	ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts"),
	// 	Properties: &armsecurity.AlertsSuppressionRuleProperties{
	// 		AlertType: to.Ptr("IpAnomaly"),
	// 		Comment: to.Ptr("Test VM"),
	// 		ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t}()),
	// 		LastModifiedUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-07-31T19:50:47.083Z"); return t}()),
	// 		Reason: to.Ptr("FalsePositive"),
	// 		State: to.Ptr(armsecurity.RuleStateEnabled),
	// 		SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
	// 			AllOf: []*armsecurity.ScopeElement{
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"in": []any{
	// 							"104.215.95.187",
	// 							"52.164.206.56",
	// 						},
	// 					},
	// 					Field: to.Ptr("entities.ip.address"),
	// 				},
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"contains": "POWERSHELL.EXE",
	// 					},
	// 					Field: to.Ptr("entities.process.commandline"),
	// 			}},
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Update existing rule or create new rule if it doesn't exist
 *
 * @summary Update existing rule or create new rule if it doesn't exist
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
 */
async function updateOrCreateSuppressionRuleForSubscription() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
  const alertsSuppressionRule = {
    alertType: "IpAnomaly",
    comment: "Test VM",
    expirationDateUtc: new Date("2019-12-01T19:50:47.083633Z"),
    reason: "FalsePositive",
    state: "Enabled",
    suppressionAlertsScope: {
      allOf: [{ field: "entities.ip.address" }, { field: "entities.process.commandline" }],
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.alertsSuppressionRules.update(
    alertsSuppressionRuleName,
    alertsSuppressionRule,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
// this example is just showing the usage of "AlertsSuppressionRules_Update" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SecurityAlertsSuppressionRuleResource created on azure
// for more information of creating SecurityAlertsSuppressionRuleResource, please refer to the document of SecurityAlertsSuppressionRuleResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
ResourceIdentifier securityAlertsSuppressionRuleResourceId = SecurityAlertsSuppressionRuleResource.CreateResourceIdentifier(subscriptionId, alertsSuppressionRuleName);
SecurityAlertsSuppressionRuleResource securityAlertsSuppressionRule = client.GetSecurityAlertsSuppressionRuleResource(securityAlertsSuppressionRuleResourceId);

// invoke the operation
SecurityAlertsSuppressionRuleData data = new SecurityAlertsSuppressionRuleData()
{
    AlertType = "IpAnomaly",
    ExpireOn = DateTimeOffset.Parse("2019-12-01T19:50:47.083633Z"),
    Reason = "FalsePositive",
    State = SecurityAlertsSuppressionRuleState.Enabled,
    Comment = "Test VM",
    SuppressionAlertsScopeAllOf =
    {
    new SuppressionAlertsScopeElement()
    {
    Field = "entities.ip.address",
    },new SuppressionAlertsScopeElement()
    {
    Field = "entities.process.commandline",
    }
    },
};
ArmOperation<SecurityAlertsSuppressionRuleResource> lro = await securityAlertsSuppressionRule.UpdateAsync(WaitUntil.Completed, data);
SecurityAlertsSuppressionRuleResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityAlertsSuppressionRuleData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

範例回覆

狀態碼:: 200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts",
  "name": "dismissIpAnomalyAlerts",
  "type": "Microsoft.Security/alertsSuppressionRules",
  "properties": {
    "alertType": "IpAnomaly",
    "lastModifiedUtc": "2019-07-31T19:50:47.083633Z",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

定義

名稱	Description
AlertsSuppressionRule	描述歸並規則
CloudError	所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。（這也遵循 OData 錯誤回應格式。）。
CloudErrorBody	錯誤詳細數據。
ErrorAdditionalInfo	資源管理錯誤其他資訊。
RuleState	規則的可能狀態
ScopeElement	更具體的範圍，用來識別要隱藏的警示。
SuppressionAlertsScope