你当前正在访问 Microsoft Azure Global Edition 技术文档网站。如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站，请访问 https://docs.azure.cn。

Alerts Suppression Rules - Update

参考

Service:: Defender for Cloud

API Version:: 2019-01-01-preview

更新现有规则或创建新规则（如果不存在）

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}?api-version=2019-01-01-preview

URI 参数

名称在必需类型说明

名称	在	必需	类型	说明
alertsSuppressionRuleName	path	True	string	抑制警报规则的唯一名称
subscriptionId	path	True	string	Azure 订阅 ID Regex pattern: `^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$`
api-version	query	True	string	操作的 API 版本

alertsSuppressionRuleName

path

True

string

抑制警报规则的唯一名称

subscriptionId

path

True

string

Azure 订阅 ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version

query

True

string

操作的 API 版本

请求正文

名称	必需	类型	说明
properties.alertType	True	string	要自动取消的警报的类型。对于所有警报类型，请使用“*”
properties.reason	True	string	消除警报的原因
properties.state	True	RuleState	规则的可能状态
properties.comment		string	有关规则的任何注释
properties.expirationDateUtc		string	规则的到期日期，如果未提供或提供值为 null，则根本不会过期
properties.suppressionAlertsScope		SuppressionAlertsScope	抑制条件

响应

名称	类型	说明
200 OK	AlertsSuppressionRule	确定
Other Status Codes	CloudError	描述操作失败原因的错误响应。

安全性

azure_auth

Azure Active Directory OAuth2 流

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

名称	说明
user_impersonation	模拟用户帐户

示例

Update or create suppression rule for subscription

Sample Request

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts?api-version=2019-01-01-preview

{
  "properties": {
    "alertType": "IpAnomaly",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}


import com.azure.core.management.serializer.SerializerFactory;
import com.azure.core.util.serializer.SerializerEncoding;
import com.azure.resourcemanager.security.fluent.models.AlertsSuppressionRuleInner;
import com.azure.resourcemanager.security.models.RuleState;
import com.azure.resourcemanager.security.models.ScopeElement;
import com.azure.resourcemanager.security.models.SuppressionAlertsScope;
import java.io.IOException;
import java.time.OffsetDateTime;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/**
 * Samples for AlertsSuppressionRules Update.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/
     * AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
     */
    /**
     * Sample code: Update or create suppression rule for subscription.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void updateOrCreateSuppressionRuleForSubscription(
        com.azure.resourcemanager.security.SecurityManager manager) throws IOException {
        manager.alertsSuppressionRules().updateWithResponse("dismissIpAnomalyAlerts",
            new AlertsSuppressionRuleInner().withAlertType("IpAnomaly")
                .withExpirationDateUtc(OffsetDateTime.parse("2019-12-01T19:50:47.083633Z")).withReason("FalsePositive")
                .withState(RuleState.ENABLED).withComment("Test VM")
                .withSuppressionAlertsScope(new SuppressionAlertsScope().withAllOf(Arrays.asList(
                    new ScopeElement().withField("entities.ip.address")
                        .withAdditionalProperties(mapOf("in",
                            SerializerFactory.createDefaultManagementSerializerAdapter().deserialize(
                                "[\"104.215.95.187\",\"52.164.206.56\"]", Object.class, SerializerEncoding.JSON))),
                    new ScopeElement().withField("entities.process.commandline")
                        .withAdditionalProperties(mapOf("contains", "POWERSHELL.EXE"))))),
            com.azure.core.util.Context.NONE);
    }

    // Use "Map.of" if available
    @SuppressWarnings("unchecked")
    private static <T> Map<String, T> mapOf(Object... inputs) {
        Map<String, T> map = new HashMap<>();
        for (int i = 0; i < inputs.length; i += 2) {
            String key = (String) inputs[i];
            T value = (T) inputs[i + 1];
            map.put(key, value);
        }
        return map;
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armsecurity_test

import (
	"context"
	"log"

	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/b43974e07d3204c4b6f8396627f5430994a7f7c9/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
func ExampleAlertsSuppressionRulesClient_Update() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAlertsSuppressionRulesClient().Update(ctx, "dismissIpAnomalyAlerts", armsecurity.AlertsSuppressionRule{
		Properties: &armsecurity.AlertsSuppressionRuleProperties{
			AlertType:         to.Ptr("IpAnomaly"),
			Comment:           to.Ptr("Test VM"),
			ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t }()),
			Reason:            to.Ptr("FalsePositive"),
			State:             to.Ptr(armsecurity.RuleStateEnabled),
			SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
				AllOf: []*armsecurity.ScopeElement{
					{
						AdditionalProperties: map[string]any{
							"in": []any{
								"104.215.95.187",
								"52.164.206.56",
							},
						},
						Field: to.Ptr("entities.ip.address"),
					},
					{
						AdditionalProperties: map[string]any{
							"contains": "POWERSHELL.EXE",
						},
						Field: to.Ptr("entities.process.commandline"),
					}},
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.AlertsSuppressionRule = armsecurity.AlertsSuppressionRule{
	// 	Name: to.Ptr("dismissIpAnomalyAlerts"),
	// 	Type: to.Ptr("Microsoft.Security/alertsSuppressionRules"),
	// 	ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts"),
	// 	Properties: &armsecurity.AlertsSuppressionRuleProperties{
	// 		AlertType: to.Ptr("IpAnomaly"),
	// 		Comment: to.Ptr("Test VM"),
	// 		ExpirationDateUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-12-01T19:50:47.083Z"); return t}()),
	// 		LastModifiedUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2019-07-31T19:50:47.083Z"); return t}()),
	// 		Reason: to.Ptr("FalsePositive"),
	// 		State: to.Ptr(armsecurity.RuleStateEnabled),
	// 		SuppressionAlertsScope: &armsecurity.SuppressionAlertsScope{
	// 			AllOf: []*armsecurity.ScopeElement{
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"in": []any{
	// 							"104.215.95.187",
	// 							"52.164.206.56",
	// 						},
	// 					},
	// 					Field: to.Ptr("entities.ip.address"),
	// 				},
	// 				{
	// 					AdditionalProperties: map[string]any{
	// 						"contains": "POWERSHELL.EXE",
	// 					},
	// 					Field: to.Ptr("entities.process.commandline"),
	// 			}},
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Update existing rule or create new rule if it doesn't exist
 *
 * @summary Update existing rule or create new rule if it doesn't exist
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
 */
async function updateOrCreateSuppressionRuleForSubscription() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
  const alertsSuppressionRule = {
    alertType: "IpAnomaly",
    comment: "Test VM",
    expirationDateUtc: new Date("2019-12-01T19:50:47.083633Z"),
    reason: "FalsePositive",
    state: "Enabled",
    suppressionAlertsScope: {
      allOf: [{ field: "entities.ip.address" }, { field: "entities.process.commandline" }],
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.alertsSuppressionRules.update(
    alertsSuppressionRuleName,
    alertsSuppressionRule
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json
// this example is just showing the usage of "AlertsSuppressionRules_Update" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SecurityAlertsSuppressionRuleResource created on azure
// for more information of creating SecurityAlertsSuppressionRuleResource, please refer to the document of SecurityAlertsSuppressionRuleResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string alertsSuppressionRuleName = "dismissIpAnomalyAlerts";
ResourceIdentifier securityAlertsSuppressionRuleResourceId = SecurityAlertsSuppressionRuleResource.CreateResourceIdentifier(subscriptionId, alertsSuppressionRuleName);
SecurityAlertsSuppressionRuleResource securityAlertsSuppressionRule = client.GetSecurityAlertsSuppressionRuleResource(securityAlertsSuppressionRuleResourceId);

// invoke the operation
SecurityAlertsSuppressionRuleData data = new SecurityAlertsSuppressionRuleData()
{
    AlertType = "IpAnomaly",
    ExpireOn = DateTimeOffset.Parse("2019-12-01T19:50:47.083633Z"),
    Reason = "FalsePositive",
    State = SecurityAlertsSuppressionRuleState.Enabled,
    Comment = "Test VM",
    SuppressionAlertsScopeAllOf =
    {
    new SuppressionAlertsScopeElement()
    {
    Field = "entities.ip.address",
    },new SuppressionAlertsScopeElement()
    {
    Field = "entities.process.commandline",
    }
    },
};
ArmOperation<SecurityAlertsSuppressionRuleResource> lro = await securityAlertsSuppressionRule.UpdateAsync(WaitUntil.Completed, data);
SecurityAlertsSuppressionRuleResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityAlertsSuppressionRuleData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts",
  "name": "dismissIpAnomalyAlerts",
  "type": "Microsoft.Security/alertsSuppressionRules",
  "properties": {
    "alertType": "IpAnomaly",
    "lastModifiedUtc": "2019-07-31T19:50:47.083633Z",
    "expirationDateUtc": "2019-12-01T19:50:47.083633Z",
    "state": "Enabled",
    "reason": "FalsePositive",
    "comment": "Test VM",
    "suppressionAlertsScope": {
      "allOf": [
        {
          "field": "entities.ip.address",
          "in": [
            "104.215.95.187",
            "52.164.206.56"
          ]
        },
        {
          "field": "entities.process.commandline",
          "contains": "POWERSHELL.EXE"
        }
      ]
    }
  }
}

定义

名称	说明
AlertsSuppressionRule	描述抑制规则
CloudError	对所有 Azure 资源管理器 API 的常见错误响应，可返回失败操作的错误详细信息。 (这也遵循 OData 错误响应格式.) 。
CloudErrorBody	错误详细信息。
ErrorAdditionalInfo	资源管理错误附加信息。
RuleState	规则的可能状态
ScopeElement	一个更具体的范围，用于标识要取消的警报。
SuppressionAlertsScope