Alerts Suppression Rules - Update

Reference

Service:: Defender for Cloud

API Version:: 2019-01-01-preview

Update existing rule or create new rule if it doesn't exist

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}?api-version=2019-01-01-preview

URI Parameters

Name In Required Type Description

Name	In	Required	Type	Description
alertsSuppressionRuleName	path	True	string	The unique name of the suppression alert rule
subscriptionId	path	True	string	Azure subscription ID Regex pattern: `^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$`
api-version	query	True	string	API version for the operation

alertsSuppressionRuleName

path

True

string

The unique name of the suppression alert rule

subscriptionId

path

True

string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version

query

True

string

API version for the operation

Request Body

Name	Required	Type	Description
properties.alertType	True	string	Type of the alert to automatically suppress. For all alert types, use '*'
properties.reason	True	string	The reason for dismissing the alert
properties.state	True	RuleState	Possible states of the rule
properties.comment		string	Any comment regarding the rule
properties.expirationDateUtc		string	Expiration date of the rule, if value is not provided or provided as null there will no expiration at all
properties.suppressionAlertsScope		SuppressionAlertsScope	The suppression conditions

Responses

Name	Type	Description
200 OK	AlertsSuppressionRule	OK
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Update or create suppression rule for subscription

Sample request

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts?api-version=2019-01-01-preview

{
  "properties": {
    "alertType": "IpAnomaly",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}


import com.azure.core.management.serializer.SerializerFactory;
import com.azure.core.util.serializer.SerializerEncoding;
import com.azure.resourcemanager.security.fluent.models.AlertsSuppressionRuleInner;
import com.azure.resourcemanager.security.models.RuleState;
import com.azure.resourcemanager.security.models.ScopeElement;
import com.azure.resourcemanager.security.models.SuppressionAlertsScope;
import java.io.IOException;
import java.time.OffsetDateTime;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/**
 * Samples for AlertsSuppressionRules Update.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/
     * AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
     */
    /**
     * Sample code: Update or create suppression rule for subscription.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void updateOrCreateSuppressionRuleForSubscription(
        com.azure.resourcemanager.security.SecurityManager manager) throws IOException {
        manager.alertsSuppressionRules().updateWithResponse("dismissIpAnomalyAlerts",
            new AlertsSuppressionRuleInner().withAlertType("IpAnomaly")
                .withExpirationDateUtc(OffsetDateTime.parse("2019-12-01T19:50:47.083633Z")).withReason("FalsePositive")
                .withState(RuleState.ENABLED).withComment("Test VM")
                .withSuppressionAlertsScope(new SuppressionAlertsScope().withAllOf(Arrays.asList(
                    new ScopeElement().withField("entities.ip.address")
                        .withAdditionalProperties(mapOf("in",
                            SerializerFactory.createDefaultManagementSerializerAdapter().deserialize(
                                "[\"104.215.95.187\",\"52.164.206.56\"]", Object.class, SerializerEncoding.JSON))),
                    new ScopeElement().withField("entities.process.commandline")
                        .withAdditionalProperties(mapOf("contains", "POWERSHELL.EXE"))))),
            com.azure.core.util.Context.NONE);
    }

    // Use "Map.of" if available
    @SuppressWarnings("unchecked")
    private static <T> Map<String, T> mapOf(Object... inputs) {
        Map<String, T> map = new HashMap<>();
        for (int i = 0; i < inputs.length; i += 2) {
            String key = (String) inputs[i];
            T value = (T) inputs[i + 1];
            map.put(key, value);
        }
        return map;
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armsecurity_test

import (
	"context"
	"log"

	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
func ExampleAlertsSuppressionRulesClient_Update() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAlertsSuppressionRulesClient().Update(ctx, "dismissIpAnomalyAlerts", armsecurity.AlertsSuppressionRule{
		Properties: &armsecurity.AlertsSuppressionRuleProperties{
			AlertType:         to.Ptr("IpAnomaly"),
			Comment:           to.Ptr("Test VM"),
			ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t }()),
			Reason:            to.Ptr("FalsePositive"),
			State:             to.Ptr(armsecurity.RuleStateEnabled),
			SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
				AllOf: []*armsecurity.ScopeElement{
					{
						AdditionalProperties: map[string]any{
							"in": []any{
								"104.215.95.187",
								"52.164.206.56",
							},
						},
						Field: to.Ptr("entities.ip.address"),
					},
					{
						AdditionalProperties: map[string]any{
							"contains": "POWERSHELL.EXE",
						},
						Field: to.Ptr("entities.process.commandline"),
					}},
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.AlertsSuppressionRule = armsecurity.AlertsSuppressionRule{
	// 	Name: to.Ptr("dismissIpAnomalyAlerts"),
	// 	Type: to.Ptr("Microsoft.Security/alertsSuppressionRules"),
	// 	ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts"),
	// 	Properties: &armsecurity.AlertsSuppressionRuleProperties{
	// 		AlertType: to.Ptr("IpAnomaly"),
	// 		Comment: to.Ptr("Test VM"),
	// 		ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t}()),
	// 		LastModifiedUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-07-31T19:50:47.083Z"); return t}()),
	// 		Reason: to.Ptr("FalsePositive"),
	// 		State: to.Ptr(armsecurity.RuleStateEnabled),
	// 		SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
	// 			AllOf: []*armsecurity.ScopeElement{
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"in": []any{
	// 							"104.215.95.187",
	// 							"52.164.206.56",
	// 						},
	// 					},
	// 					Field: to.Ptr("entities.ip.address"),
	// 				},
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"contains": "POWERSHELL.EXE",
	// 					},
	// 					Field: to.Ptr("entities.process.commandline"),
	// 			}},
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Update existing rule or create new rule if it doesn't exist
 *
 * @summary Update existing rule or create new rule if it doesn't exist
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
 */
async function updateOrCreateSuppressionRuleForSubscription() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
  const alertsSuppressionRule = {
    alertType: "IpAnomaly",
    comment: "Test VM",
    expirationDateUtc: new Date("2019-12-01T19:50:47.083633Z"),
    reason: "FalsePositive",
    state: "Enabled",
    suppressionAlertsScope: {
      allOf: [{ field: "entities.ip.address" }, { field: "entities.process.commandline" }],
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.alertsSuppressionRules.update(
    alertsSuppressionRuleName,
    alertsSuppressionRule,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
// this example is just showing the usage of "AlertsSuppressionRules_Update" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SecurityAlertsSuppressionRuleResource created on azure
// for more information of creating SecurityAlertsSuppressionRuleResource, please refer to the document of SecurityAlertsSuppressionRuleResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
ResourceIdentifier securityAlertsSuppressionRuleResourceId = SecurityAlertsSuppressionRuleResource.CreateResourceIdentifier(subscriptionId, alertsSuppressionRuleName);
SecurityAlertsSuppressionRuleResource securityAlertsSuppressionRule = client.GetSecurityAlertsSuppressionRuleResource(securityAlertsSuppressionRuleResourceId);

// invoke the operation
SecurityAlertsSuppressionRuleData data = new SecurityAlertsSuppressionRuleData()
{
    AlertType = "IpAnomaly",
    ExpireOn = DateTimeOffset.Parse("2019-12-01T19:50:47.083633Z"),
    Reason = "FalsePositive",
    State = SecurityAlertsSuppressionRuleState.Enabled,
    Comment = "Test VM",
    SuppressionAlertsScopeAllOf =
    {
    new SuppressionAlertsScopeElement()
    {
    Field = "entities.ip.address",
    },new SuppressionAlertsScopeElement()
    {
    Field = "entities.process.commandline",
    }
    },
};
ArmOperation<SecurityAlertsSuppressionRuleResource> lro = await securityAlertsSuppressionRule.UpdateAsync(WaitUntil.Completed, data);
SecurityAlertsSuppressionRuleResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityAlertsSuppressionRuleData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts",
  "name": "dismissIpAnomalyAlerts",
  "type": "Microsoft.Security/alertsSuppressionRules",
  "properties": {
    "alertType": "IpAnomaly",
    "lastModifiedUtc": "2019-07-31T19:50:47.083633Z",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

Definitions

Name	Description
AlertsSuppressionRule	Describes the suppression rule
CloudError	Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
CloudErrorBody	The error detail.
ErrorAdditionalInfo	The resource management error additional info.
RuleState	Possible states of the rule
ScopeElement	A more specific scope used to identify the alerts to suppress.
SuppressionAlertsScope