celloza/Dismiss-AzSecurityAlertByTypeInSubscription.ps1

## Dismiss-AzSecurityAlertByTypeInSubscription.ps1
<#
.Synopsis
   Dismisses Microsoft Defender for Cloud Security Alerts in bulk.
.DESCRIPTION
   This script iterates over results from the Azure Management API for Microsoft Defender for Cloud Security alerts, and takes the relevant action (usually to dismiss). It was
   created in order to dismiss thousands of Adaptive Application Control policy violations while the policy was being tuned to no longer show false positives.
.INPUTS
   Manually set in the script.
.OUTPUTS
   Host output with the results of what has happened.
.NOTES
   This process is not entirely automated. It requires you to get a token manually and inject it below, and also specify the subscription name on which you'd like to run this
   process. Future development possibility is to create a service principal, assign it a token, and then reuse the token below rather than rely on getting it manually every x
   couple of minutes.
#>

# Get a token by going to https://resources.azure.com/api/token?plaintext=true. This assumes you're logged in via Azure Portal
$token = '<insert token here>'

Connect-AzAccount

# Get all the subscriptions
$subs = Get-AzSubscription

# Get the subscription Id for the sub you want
$sub = $subs | Where-Object {$_.Name -eq '<insert sub name here>'}
$subId = $sub.Id

# Set the URL we're going iteratively call to go through all the alerts
$getAlertsUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/alerts?api-version=2021-01-01"

# Set the URL we're going to call to dismiss an alert
$dismissAlertUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss?api-version=2021-01-01"

# Set the headers for this call
$Headers = @{"Authorization" = "Bearer $token"}

# The alertType we want to dismiss. This can be found by querying a sample set, and checking the alertType value
# Windows: VM_AdaptiveApplicationControlWindowsViolationAudited
# Linux: VM_AdaptiveApplicationControlLinuxViolationAudited
# For extra kudos, modify the script to accept n number of alertTypes, and dismiss them all
$alertTypeToDismiss = 'VM_AdaptiveApplicationControlLinuxViolationAudited'

$dismissedCount = 0

# Loop through pages
while ($null -ne $getAlertsUri) {
    try {

        # Get the first page of results
        $result = Invoke-RestMethod -Uri $getAlertsUri -Method Get -Headers $Headers
        $allAlerts = $result.value

        # Set the next call's URI to the nextLink property from the results (if it exists)
        $getAlertsUri = $result.nextLink
        $totalAlerts = $allAlerts.Count

        Write-Host "Query returned $totalAlerts rows." -ForegroundColor Blue

        # Filter only those alerts we want to dismiss, i.e. Active alerts for the specified alertType
        $alertsToDismiss = $result.value | Where-Object {$_.properties.alertType -eq $alertTypeToDismiss -and $_.properties.status -eq 'Active'}
        $resultCount = $alertsToDismiss.Count

        Write-Host "Dismissing $resultCount where the alertType is $alertTypeToDismiss..." -ForegroundColor Green

        foreach($alertToDismiss in $alertsToDismiss)
        {
            $alertName = $alertToDismiss.name
            Write-Host "Dismissing $alertName..."

            # Find the location from the alertUri... dunno why it isn't a property
            $location = $alertToDismiss.properties.alertUri.Split('/')[-1]
            $dismissAlertUriForThisAlert = $dismissAlertUri.Replace("{alertName}", $alertToDismiss.Name).Replace("{ascLocation}", $location)

            try {
                # Dismiss the alert
                Invoke-RestMethod -Uri $dismissAlertUriForThisAlert -Method Post -Headers $Headers
                $dismissedCount++
            }
            catch {
                Write-Host "Couldn't dismiss $alertName." -ForegroundColor Red
            }

        }
    }
    catch {
        Write-Host "Error while processing: " $Error[0] -ForegroundColor Red
        exit
    }
}

$subName = $sub.Name
Write-Host "Dismissed $dismissedCount alerts of type $alertTypeToDismiss for subscription $subName." -ForegroundColor Green
	<#
	.Synopsis
	Dismisses Microsoft Defender for Cloud Security Alerts in bulk.
	.DESCRIPTION
	This script iterates over results from the Azure Management API for Microsoft Defender for Cloud Security alerts, and takes the relevant action (usually to dismiss). It was
	created in order to dismiss thousands of Adaptive Application Control policy violations while the policy was being tuned to no longer show false positives.
	.INPUTS
	Manually set in the script.
	.OUTPUTS
	Host output with the results of what has happened.
	.NOTES
	This process is not entirely automated. It requires you to get a token manually and inject it below, and also specify the subscription name on which you'd like to run this
	process. Future development possibility is to create a service principal, assign it a token, and then reuse the token below rather than rely on getting it manually every x
	couple of minutes.
	#>

	# Get a token by going to https://resources.azure.com/api/token?plaintext=true. This assumes you're logged in via Azure Portal
	$token = '<insert token here>'

	Connect-AzAccount

	# Get all the subscriptions
	$subs = Get-AzSubscription

	# Get the subscription Id for the sub you want
	$sub = $subs \| Where-Object {$_.Name -eq '<insert sub name here>'}
	$subId = $sub.Id

	# Set the URL we're going iteratively call to go through all the alerts
	$getAlertsUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/alerts?api-version=2021-01-01"

	# Set the URL we're going to call to dismiss an alert
	$dismissAlertUri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss?api-version=2021-01-01"

	# Set the headers for this call
	$Headers = @{"Authorization" = "Bearer $token"}

	# The alertType we want to dismiss. This can be found by querying a sample set, and checking the alertType value
	# Windows: VM_AdaptiveApplicationControlWindowsViolationAudited
	# Linux: VM_AdaptiveApplicationControlLinuxViolationAudited
	# For extra kudos, modify the script to accept n number of alertTypes, and dismiss them all
	$alertTypeToDismiss = 'VM_AdaptiveApplicationControlLinuxViolationAudited'

	$dismissedCount = 0

	# Loop through pages
	while ($null -ne $getAlertsUri) {
	try {

	# Get the first page of results
	$result = Invoke-RestMethod -Uri $getAlertsUri -Method Get -Headers $Headers
	$allAlerts = $result.value

	# Set the next call's URI to the nextLink property from the results (if it exists)
	$getAlertsUri = $result.nextLink
	$totalAlerts = $allAlerts.Count

	Write-Host "Query returned $totalAlerts rows." -ForegroundColor Blue

	# Filter only those alerts we want to dismiss, i.e. Active alerts for the specified alertType
	$alertsToDismiss = $result.value \| Where-Object {$_.properties.alertType -eq $alertTypeToDismiss -and $_.properties.status -eq 'Active'}
	$resultCount = $alertsToDismiss.Count

	Write-Host "Dismissing $resultCount where the alertType is $alertTypeToDismiss..." -ForegroundColor Green

	foreach($alertToDismiss in $alertsToDismiss)
	{
	$alertName = $alertToDismiss.name
	Write-Host "Dismissing $alertName..."

	# Find the location from the alertUri... dunno why it isn't a property
	$location = $alertToDismiss.properties.alertUri.Split('/')[-1]
	$dismissAlertUriForThisAlert = $dismissAlertUri.Replace("{alertName}", $alertToDismiss.Name).Replace("{ascLocation}", $location)

	try {
	# Dismiss the alert
	Invoke-RestMethod -Uri $dismissAlertUriForThisAlert -Method Post -Headers $Headers
	$dismissedCount++
	}
	catch {
	Write-Host "Couldn't dismiss $alertName." -ForegroundColor Red
	}

	}
	}
	catch {
	Write-Host "Error while processing: " $Error[0] -ForegroundColor Red
	exit
	}
	}

	$subName = $sub.Name
	Write-Host "Dismissed $dismissedCount alerts of type $alertTypeToDismiss for subscription $subName." -ForegroundColor Green