Alerts Suppression Rules - Update

Tjänst:

Defender for Cloud

API-version:

2019-01-01-preview

Uppdatera befintlig regel eller skapa en ny regel om den inte finns

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}?api-version=2019-01-01-preview

URI-parametrar

Name	I	Obligatorisk	Typ	Description
alertsSuppressionRuleName	path	True	string	Det unika namnet på regeln för undertryckningsavisering
subscriptionId	path	True	string pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$	Azure-prenumerations-ID
api-version	query	True	string	API-version för åtgärden

Begärandetext

Name	Obligatorisk	Typ	Description
properties.alertType	True	string	Typ av avisering som ska ignoreras automatiskt. Använd *för alla aviseringstyper
properties.reason	True	string	Anledningen till att avvisa aviseringen
properties.state	True	RuleState	Möjliga tillstånd för regeln
properties.comment		string	Eventuella kommentarer om regeln
properties.expirationDateUtc		string (date-time)	Förfallodatum för regeln, om värdet inte anges eller anges som null kommer det inte att upphöra att gälla alls
properties.suppressionAlertsScope		SuppressionAlertsScope	Undertryckningsvillkoren

Svar

Name	Typ	Description
200 OK	AlertsSuppressionRule	OKEJ
Other Status Codes	CloudError	Felsvar som beskriver varför åtgärden misslyckades.

Säkerhet

azure_auth

Azure Active Directory OAuth2 Flow

Typ: oauth2
Flow: implicit
Auktoriseringswebbadress: https://login.microsoftonline.com/common/oauth2/authorize

Omfattningar

Name	Description
user_impersonation	personifiera ditt användarkonto

Exempel

Update or create suppression rule for subscription

Exempelbegäran

HTTP

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts?api-version=2019-01-01-preview

{
  "properties": {
    "alertType": "IpAnomaly",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

Java

import com.azure.core.management.serializer.SerializerFactory;
import com.azure.core.util.serializer.SerializerEncoding;
import com.azure.resourcemanager.security.fluent.models.AlertsSuppressionRuleInner;
import com.azure.resourcemanager.security.models.RuleState;
import com.azure.resourcemanager.security.models.ScopeElement;
import com.azure.resourcemanager.security.models.SuppressionAlertsScope;
import java.io.IOException;
import java.time.OffsetDateTime;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/**
 * Samples for AlertsSuppressionRules Update.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/
     * AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
     */
    /**
     * Sample code: Update or create suppression rule for subscription.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void updateOrCreateSuppressionRuleForSubscription(
        com.azure.resourcemanager.security.SecurityManager manager) throws IOException {
        manager.alertsSuppressionRules().updateWithResponse("dismissIpAnomalyAlerts",
            new AlertsSuppressionRuleInner().withAlertType("IpAnomaly")
                .withExpirationDateUtc(OffsetDateTime.parse("2019-12-01T19:50:47.083633Z")).withReason("FalsePositive")
                .withState(RuleState.ENABLED).withComment("Test VM")
                .withSuppressionAlertsScope(new SuppressionAlertsScope().withAllOf(Arrays.asList(
                    new ScopeElement().withField("entities.ip.address")
                        .withAdditionalProperties(mapOf("in",
                            SerializerFactory.createDefaultManagementSerializerAdapter().deserialize(
                                "[\"104.215.95.187\",\"52.164.206.56\"]", Object.class, SerializerEncoding.JSON))),
                    new ScopeElement().withField("entities.process.commandline")
                        .withAdditionalProperties(mapOf("contains", "POWERSHELL.EXE"))))),
            com.azure.core.util.Context.NONE);
    }

    // Use "Map.of" if available
    @SuppressWarnings("unchecked")
    private static <T> Map<String, T> mapOf(Object... inputs) {
        Map<String, T> map = new HashMap<>();
        for (int i = 0; i < inputs.length; i += 2) {
            String key = (String) inputs[i];
            T value = (T) inputs[i + 1];
            map.put(key, value);
        }
        return map;
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsecurity_test

import (
	"context"
	"log"

	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
func ExampleAlertsSuppressionRulesClient_Update() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAlertsSuppressionRulesClient().Update(ctx, "dismissIpAnomalyAlerts", armsecurity.AlertsSuppressionRule{
		Properties: &armsecurity.AlertsSuppressionRuleProperties{
			AlertType:         to.Ptr("IpAnomaly"),
			Comment:           to.Ptr("Test VM"),
			ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t }()),
			Reason:            to.Ptr("FalsePositive"),
			State:             to.Ptr(armsecurity.RuleStateEnabled),
			SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
				AllOf: []*armsecurity.ScopeElement{
					{
						AdditionalProperties: map[string]any{
							"in": []any{
								"104.215.95.187",
								"52.164.206.56",
							},
						},
						Field: to.Ptr("entities.ip.address"),
					},
					{
						AdditionalProperties: map[string]any{
							"contains": "POWERSHELL.EXE",
						},
						Field: to.Ptr("entities.process.commandline"),
					}},
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.AlertsSuppressionRule = armsecurity.AlertsSuppressionRule{
	// 	Name: to.Ptr("dismissIpAnomalyAlerts"),
	// 	Type: to.Ptr("Microsoft.Security/alertsSuppressionRules"),
	// 	ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts"),
	// 	Properties: &armsecurity.AlertsSuppressionRuleProperties{
	// 		AlertType: to.Ptr("IpAnomaly"),
	// 		Comment: to.Ptr("Test VM"),
	// 		ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t}()),
	// 		LastModifiedUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-07-31T19:50:47.083Z"); return t}()),
	// 		Reason: to.Ptr("FalsePositive"),
	// 		State: to.Ptr(armsecurity.RuleStateEnabled),
	// 		SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
	// 			AllOf: []*armsecurity.ScopeElement{
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"in": []any{
	// 							"104.215.95.187",
	// 							"52.164.206.56",
	// 						},
	// 					},
	// 					Field: to.Ptr("entities.ip.address"),
	// 				},
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"contains": "POWERSHELL.EXE",
	// 					},
	// 					Field: to.Ptr("entities.process.commandline"),
	// 			}},
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Update existing rule or create new rule if it doesn't exist
 *
 * @summary Update existing rule or create new rule if it doesn't exist
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
 */
async function updateOrCreateSuppressionRuleForSubscription() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
  const alertsSuppressionRule = {
    alertType: "IpAnomaly",
    comment: "Test VM",
    expirationDateUtc: new Date("2019-12-01T19:50:47.083633Z"),
    reason: "FalsePositive",
    state: "Enabled",
    suppressionAlertsScope: {
      allOf: [{ field: "entities.ip.address" }, { field: "entities.process.commandline" }],
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.alertsSuppressionRules.update(
    alertsSuppressionRuleName,
    alertsSuppressionRule,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.SecurityCenter.Models;
using Azure.ResourceManager.SecurityCenter;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
// this example is just showing the usage of "AlertsSuppressionRules_Update" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SecurityAlertsSuppressionRuleResource created on azure
// for more information of creating SecurityAlertsSuppressionRuleResource, please refer to the document of SecurityAlertsSuppressionRuleResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
ResourceIdentifier securityAlertsSuppressionRuleResourceId = SecurityAlertsSuppressionRuleResource.CreateResourceIdentifier(subscriptionId, alertsSuppressionRuleName);
SecurityAlertsSuppressionRuleResource securityAlertsSuppressionRule = client.GetSecurityAlertsSuppressionRuleResource(securityAlertsSuppressionRuleResourceId);

// invoke the operation
SecurityAlertsSuppressionRuleData data = new SecurityAlertsSuppressionRuleData
{
    AlertType = "IpAnomaly",
    ExpireOn = DateTimeOffset.Parse("2019-12-01T19:50:47.083633Z"),
    Reason = "FalsePositive",
    State = SecurityAlertsSuppressionRuleState.Enabled,
    Comment = "Test VM",
    SuppressionAlertsScopeAllOf = {new SuppressionAlertsScopeElement
    {
    Field = "entities.ip.address",
    }, new SuppressionAlertsScopeElement
    {
    Field = "entities.process.commandline",
    }},
};
ArmOperation<SecurityAlertsSuppressionRuleResource> lro = await securityAlertsSuppressionRule.UpdateAsync(WaitUntil.Completed, data);
SecurityAlertsSuppressionRuleResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityAlertsSuppressionRuleData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Exempelsvar

Statuskod:

200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts",
  "name": "dismissIpAnomalyAlerts",
  "type": "Microsoft.Security/alertsSuppressionRules",
  "properties": {
    "alertType": "IpAnomaly",
    "lastModifiedUtc": "2019-07-31T19:50:47.083633Z",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

Definitioner

Name	Description
AlertsSuppressionRule	Beskriver undertryckningsregeln
CloudError	Vanligt felsvar för alla Azure Resource Manager-API:er för att returnera felinformation för misslyckade åtgärder. (Detta följer även formatet för OData-felsvar.).
CloudErrorBody	Felinformationen.
ErrorAdditionalInfo	Ytterligare information om resurshanteringsfelet.
RuleState	Möjliga tillstånd för regeln
ScopeElement	Ett mer specifikt omfång som används för att identifiera aviseringarna som ska ignoreras.
SuppressionAlertsScope

AlertsSuppressionRule

Objekt

Beskriver undertryckningsregeln

Name	Typ	Description
id	string	Resurs-ID
name	string	Resursnamn
properties.alertType	string	Typ av avisering som ska ignoreras automatiskt. Använd *för alla aviseringstyper
properties.comment	string	Eventuella kommentarer om regeln
properties.expirationDateUtc	string (date-time)	Förfallodatum för regeln, om värdet inte anges eller anges som null kommer det inte att upphöra att gälla alls
properties.lastModifiedUtc	string (date-time)	Senaste gången den här regeln ändrades
properties.reason	string	Anledningen till att avvisa aviseringen
properties.state	RuleState	Möjliga tillstånd för regeln
properties.suppressionAlertsScope	SuppressionAlertsScope	Undertryckningsvillkoren
type	string	Resurstyp

CloudError

Objekt

Vanligt felsvar för alla Azure Resource Manager-API:er för att returnera felinformation för misslyckade åtgärder. (Detta följer även formatet för OData-felsvar.).

Name	Typ	Description
error.additionalInfo	ErrorAdditionalInfo[]	Ytterligare information om felet.
error.code	string	Felkoden.
error.details	CloudErrorBody[]	Felinformationen.
error.message	string	Felmeddelandet.
error.target	string	Felmålet.

CloudErrorBody

Objekt

Felinformationen.

Name	Typ	Description
additionalInfo	ErrorAdditionalInfo[]	Ytterligare information om felet.
code	string	Felkoden.
details	CloudErrorBody[]	Felinformationen.
message	string	Felmeddelandet.
target	string	Felmålet.

ErrorAdditionalInfo

Objekt

Ytterligare information om resurshanteringsfelet.

Name	Typ	Description
info	object	Ytterligare information.
type	string	Ytterligare informationstyp.

RuleState

Uppräkning

Möjliga tillstånd för regeln

Värde	Description
Disabled
Enabled
Expired

ScopeElement

Objekt

Ett mer specifikt omfång som används för att identifiera aviseringarna som ska ignoreras.

Name	Typ	Description
field	string	Den aviseringsentitetstyp som ska ignoreras av.

SuppressionAlertsScope

Objekt

Name	Typ	Description
allOf	ScopeElement[]	Alla villkor inuti måste vara sanna för att förhindra aviseringen