az security alert update does not change status

[harrisonsp]

I am trying to dismiss a rather large number of the same low severity Microsoft Defender for Cloud Security alert. While that is certainly possible through the Azure portal, I'd rather not click through all 100+ pages of alerts manually to select and change the status of all of them (I've set up a suppression on that particular low severity alert so this doesn't happen again). But I still have a lot to deal with. Enter CLI.

I run az security alert list -g myRg --query [].name and grab one of the names returned.

I put the alert name into az security alert show -l "centralus" -g "myRg" -n "<alertName>". Command shows expected information about the alert, in particular "status": "Active"

I run az security alert update -l "centralus" -g "myRg" -n "<alertName>" --status "dismiss" --debug. Seems to run successfully, exit code is 0.

I run az security alert show -l "centralus" -g "myRg" -n "<alertName>". Still shows "status": "Active". Confusion ensues.

In the portal, I select that alert and change the status to "Dismissed" by hand.

I run az security alert show -l "centralus" -g "myRg" -n "<alertName>". Now shows "status": "Dismissed". Confusion ensues.

Doesn't matter which alert I do this for, same behavior exhibited every time.

az --version

azure-cli                         2.30.0

core                              2.30.0
telemetry                          1.0.6

Extensions:
aks-preview                       0.5.39
application-insights              0.1.14
azure-devops                      0.21.0
ssh                                0.1.8

I might try updating these alert statuses en masse through the REST API, but through the CLI seemed like the easier approach first.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 3bd1edc5-a15b-0a47-90b5-540732a21e1f
• Version Independent ID: e18a12cb-6f51-5f64-f5be-5437da57b219
• Content: az security alert
• Content Source: latest/docs-ref-autogen/security/alert.yml
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @chlahav.

Issue Details

---

I am trying to dismiss a rather large number of the same low severity Microsoft Defender for Cloud Security alert. While that is certainly possible through the Azure portal, I'd rather not click through all 100+ pages of alerts manually to select and change the status of all of them (I've set up a suppression on that particular low severity alert so this doesn't happen again). But I still have a lot to deal with. Enter CLI.

I run az security alert list -g myRg --query [].name and grab one of the names returned.

I put the alert name into az security alert show -l "centralus" -g "myRg" -n "<alertName>". Command shows expected information about the alert, in particular "status": "Active"

I run az security alert update -l "centralus" -g "myRg" -n "<alertName>" --status "dismiss" --debug. Seems to run successfully, exit code is 0.

I run az security alert show -l "centralus" -g "myRg" -n "<alertName>". Still shows "status": "Active". Confusion ensues.

In the portal, I select that alert and change the status to "Dismissed" by hand.

I run az security alert show -l "centralus" -g "myRg" -n "<alertName>". Now shows "status": "Dismissed". Confusion ensues.

Doesn't matter which alert I do this for, same behavior exhibited every time.

az --version

azure-cli                         2.30.0

core                              2.30.0
telemetry                          1.0.6

Extensions:
aks-preview                       0.5.39
application-insights              0.1.14
azure-devops                      0.21.0
ssh                                0.1.8

I might try updating these alert statuses en masse through the REST API, but through the CLI seemed like the easier approach first.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 3bd1edc5-a15b-0a47-90b5-540732a21e1f
• Version Independent ID: e18a12cb-6f51-5f64-f5be-5437da57b219
• Content: az security alert
• Content Source: latest/docs-ref-autogen/security/alert.yml
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

Author:	harrisonsp
Assignees:	-
Labels:	Service Attention, Security, customer-reported
Milestone:	-

[yonzhan]

route to service team

[JWHolding]

seeing the same issue with the same use-case. Any updates?

[chesterbeckett]

Seeing the same for Set-AzSecurityAlert trying to close out 35K of alerts using PS, but PS only grabs around 1500 of the same alerts.

[kethahel99]

Still seeing the same in 2024.
Is this going to be fixed?

pwsh> az version
{
"azure-cli": "2.62.0",
"azure-cli-core": "2.62.0",
"azure-cli-telemetry": "1.1.0",

[microsoft-github-policy-service]

🔔 Routing this issue to @act-codegen-extensibility-squad.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @keren-shani, @act-codegen-extensibility-squad.