我已经研究了一些答案,但没有找到正确的解决方案。有什么方法可以使用 Microsoft Graph API 或任何其他方式消除 Azure 安全中心中的警报。我不想压制任何规则。我只是想解除警报。我查看了一些 Microsoft 文档,但没有实现这一点。
如果有人知道该怎么做,请告诉我。
谢谢!
我已经研究了一些答案,但没有找到正确的解决方案。有什么方法可以使用 Microsoft Graph API 或任何其他方式消除 Azure 安全中心中的警报。我不想压制任何规则。我只是想解除警报。我查看了一些 Microsoft 文档,但没有实现这一点。
如果有人知道该怎么做,请告诉我。
谢谢!
我必须在调整我们的自适应应用程序控制规则时这样做。订阅量很大,有几千个,手动做没有意义,所以写了下面的脚本。
调用List方法一次最多只能返回 100 个结果。如果超过 100 个,则来自的结果Invoke-RestMethod
将包含一个nextLink
属性,这将允许您再次查询下一页结果。
此脚本将允许您根据订阅中的 alertType 关闭 Microsoft Defender for Cloud 中的安全警报:
# Get a token by going to https://resources.azure.com/api/token?plaintext=true. This assumes you're logged in via Azure Portal
$token = '<yourtokenhere>'
Connect-AzAccount
# Get all the subscriptions
$subs = Get-AzSubscription
# Get the subscription Id for the sub you want
$sub = $subs | Where-Object {$_.Name -eq '<yoursubscriptionnamehere>'}
$subId = $sub.Id
# Set the URL we're going iteratively call to go through all the alerts
$getAlertsUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/alerts?api-version=2021-01-01"
# Set the URL we're going to call to dismiss an alert
$dismissAlertUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss?api-version=2021-01-01"
# Set the headers for this call
$Headers = @{"Authorization" = "Bearer $token"}
# The alertType we want to dismiss. This can be found by querying a sample set, and checking the alertType value
$alertTypeToDismiss = 'VM_AdaptiveApplicationControlWindowsViolationAudited'
$dismissedCount = 0
# Loop through pages
while ($getAlertsUri -ne '') {
try {
# Get the first page of results
$result = Invoke-RestMethod -Uri $getAlertsUri -Method Get -Headers $Headers
$allAlerts = $result.value
# Set the next call's URI to the nextLink property from the results (if it exists)
$getAlertsUri = $result.nextLink
$totalAlerts = $allAlerts.Count
Write-Host "Query returned $totalAlerts rows." -ForegroundColor Blue
# Filter only those alerts we want to dismiss, i.e. Active alerts for the specified alertType
$alertsToDismiss = $result.value | Where-Object {$_.properties.alertType -eq $alertTypeToDismiss -and $_.properties.status -eq 'Active'}
$resultCount = $alertsToDismiss.Count
Write-Host "Dismissing $resultCount where the alertType is $alertTypeToDismiss..." -ForegroundColor Green
foreach($alertToDismiss in $alertsToDismiss)
{
$alertName = $alertToDismiss.name
Write-Host "Dismissing $alertName..."
# Find the location from the alertUri... dunno why it isn't a property
$location = $alertToDismiss.properties.alertUri.Split('/')[-1]
$dismissAlertUriForThisAlert = $dismissAlertUri.Replace("{alertName}", $alertToDismiss.Name).Replace("{ascLocation}", $location)
try {
# Dismiss the alert
Invoke-RestMethod -Uri $dismissAlertUriForThisAlert -Method Post -Headers $Headers
$dismissedCount++
}
catch {
Write-Host "Couldn't dismiss $alertName." -ForegroundColor Red
}
}
}
catch {
exit
}
}
$subName = $sub.Name
Write-Host "Dismissed $dismissedCount alerts of type $alertTypeToDismiss for subscription $subName." -ForegroundColor Green