I'm trying to adding an IP suppression rule to our Microsoft Defender mail notifications, using CLI.
I can add the rule just fine with:
az security alerts-suppression-rule update --rule-name TestRule --alert-type "SQL.DB_GeoAnomaly" --reason "Other" --state "Enabled" --subscription "xxxxxxx"
But when trying to add the IP address I get stuck on NotFound errors.
az security alerts-suppression-rule upsert_scope --field "entities.ip.address" --contains-substring "xxx.x.x.xxx" --rule-name TestRule
I have found no examples on google where this is done. The Microsoft doc example gives this as an example, but there is no info on how to do it with IP addresses.
az security alerts-suppression-rule upsert_scope --field "entities.process.commandline" --contains-substring "example" --rule-name RuleName
Microsoft documentation: https://learn.microsoft.com/en-us/cli/azure/security/alerts-suppression-rule?view=azure-cli-latest some other documentation I found: https://www.azadvertizer.net/azpolicyadvertizer/80e94a21-c6cd-4c95-a2c7-beb5704e61c0.html
It's a known MS bug, so nothing can be done right now except perhaps using curl instead.
https://github.com/Azure/azure-cli/issues/22769