1

我已经研究了一些答案,但没有找到正确的解决方案。有什么方法可以使用 Microsoft Graph API 或任何其他方式消除 Azure 安全中心中的警报。我不想压制任何规则。我只是想解除警报。我查看了一些 Microsoft 文档,但没有实现这一点。

如果有人知道该怎么做,请告诉我。

谢谢!

4

2 回答 2

1

当然。与大多数 Azure 服务一样,安全中心也有一个API

您可能正在寻找将警报状态设置为已关闭的端点。

于 2020-07-20T19:59:35.827 回答
0

我必须在调整我们的自适应应用程序控制规则时这样做。订阅量很大,有几千个,手动做没有意义,所以写了下面的脚本。

调用List方法一次最多只能返回 100 个结果。如果超过 100 个,则来自的结果Invoke-RestMethod将包含一个nextLink属性,这将允许您再次查询下一页结果。

此脚本将允许您根据订阅中的 alertType 关闭 Microsoft Defender for Cloud 中的安全警报:

# Get a token by going to https://resources.azure.com/api/token?plaintext=true. This assumes you're logged in via Azure Portal
$token = '<yourtokenhere>'

Connect-AzAccount

# Get all the subscriptions
$subs = Get-AzSubscription

# Get the subscription Id for the sub you want
$sub = $subs | Where-Object {$_.Name -eq '<yoursubscriptionnamehere>'}
$subId = $sub.Id

# Set the URL we're going iteratively call to go through all the alerts
$getAlertsUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/alerts?api-version=2021-01-01"

# Set the URL we're going to call to dismiss an alert
$dismissAlertUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss?api-version=2021-01-01"

# Set the headers for this call
$Headers = @{"Authorization" = "Bearer $token"}

# The alertType we want to dismiss. This can be found by querying a sample set, and checking the alertType value
$alertTypeToDismiss = 'VM_AdaptiveApplicationControlWindowsViolationAudited'

$dismissedCount = 0

# Loop through pages
while ($getAlertsUri -ne '') {
    try {
        
        # Get the first page of results
        $result = Invoke-RestMethod -Uri $getAlertsUri -Method Get -Headers $Headers        
        $allAlerts = $result.value

        # Set the next call's URI to the nextLink property from the results (if it exists)
        $getAlertsUri = $result.nextLink
        $totalAlerts = $allAlerts.Count
        
        Write-Host "Query returned $totalAlerts rows." -ForegroundColor Blue
        
        # Filter only those alerts we want to dismiss, i.e. Active alerts for the specified alertType
        $alertsToDismiss = $result.value | Where-Object {$_.properties.alertType -eq $alertTypeToDismiss -and $_.properties.status -eq 'Active'}
        $resultCount = $alertsToDismiss.Count

        Write-Host "Dismissing $resultCount where the alertType is $alertTypeToDismiss..." -ForegroundColor Green

        foreach($alertToDismiss in $alertsToDismiss)
        {
            $alertName = $alertToDismiss.name
            Write-Host "Dismissing $alertName..."

            # Find the location from the alertUri... dunno why it isn't a property
            $location = $alertToDismiss.properties.alertUri.Split('/')[-1]
            $dismissAlertUriForThisAlert = $dismissAlertUri.Replace("{alertName}", $alertToDismiss.Name).Replace("{ascLocation}", $location)

            try {
                # Dismiss the alert
                Invoke-RestMethod -Uri $dismissAlertUriForThisAlert -Method Post -Headers $Headers
                $dismissedCount++
            }
            catch {
                Write-Host "Couldn't dismiss $alertName." -ForegroundColor Red
            }
            
        }
    }
    catch {
        exit
    }
}

$subName = $sub.Name
Write-Host "Dismissed $dismissedCount alerts of type $alertTypeToDismiss for subscription $subName." -ForegroundColor Green
于 2022-03-04T12:20:47.987 回答