Alerts Suppression Rules - Update

Update existing rule or create new rule if it doesn't exist

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}?api-version=2019-01-01-preview

URI Parameters

Name In Required Type Description
alertsSuppressionRuleName
path True
  • string

The unique name of the suppression alert rule

subscriptionId
path True
  • string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version
query True
  • string

API version for the operation

Request Body

Name Required Type Description
properties.alertType True
  • string

Type of the alert to automatically suppress. For all alert types, use '*'

properties.reason True
  • string

The reason for dismissing the alert

properties.state True

Possible states of the rule

properties.comment
  • string

Any comment regarding the rule

properties.expirationDateUtc
  • string

Expiration date of the rule, if value is not provided or provided as null this field will default to the maximum allowed expiration date.

properties.suppressionAlertsScope

The suppression conditions

Responses

Name Type Description
200 OK

OK

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Update or create suppression rule for subscription

Sample Request

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts?api-version=2019-01-01-preview

{
  "properties": {
    "alertType": "IpAnomaly",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

Sample Response

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts",
  "name": "dismissIpAnomalyAlerts",
  "type": "Microsoft.Security/alertsSuppressionRules",
  "properties": {
    "alertType": "IpAnomaly",
    "lastModifiedUtc": "2019-07-31T19:50:47.083633Z",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

Definitions

AlertsSuppressionRule

Describes the suppression rule

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

CloudErrorBody

The error detail.

ErrorAdditionalInfo

The resource management error additional info.

RuleState

Possible states of the rule

ScopeElement

A more specific scope used to identify the alerts to suppress.

SuppressionAlertsScope

AlertsSuppressionRule

Describes the suppression rule

Name Type Description
id
  • string

Resource Id

name
  • string

Resource name

properties.alertType
  • string

Type of the alert to automatically suppress. For all alert types, use '*'

properties.comment
  • string

Any comment regarding the rule

properties.expirationDateUtc
  • string

Expiration date of the rule, if value is not provided or provided as null this field will default to the maximum allowed expiration date.

properties.lastModifiedUtc
  • string

The last time this rule was modified

properties.reason
  • string

The reason for dismissing the alert

properties.state

Possible states of the rule

properties.suppressionAlertsScope

The suppression conditions

type
  • string

Resource type

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name Type Description
error.additionalInfo

The error additional info.

error.code
  • string

The error code.

error.details

The error details.

error.message
  • string

The error message.

error.target
  • string

The error target.

CloudErrorBody

The error detail.

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

RuleState

Possible states of the rule

Name Type Description
Disabled
  • string
Enabled
  • string
Expired
  • string

ScopeElement

A more specific scope used to identify the alerts to suppress.

Name Type Description
field
  • string

The alert entity type to suppress by.

SuppressionAlertsScope

Name Type Description
allOf

All the conditions inside need to be true in order to suppress the alert