Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.
Rule type: query
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Continuous Monitoring
- Configuration Audit
Added (Elastic Stack release): 8.0.0
Rule authors: Austin Songer
Rule license: Elastic License v2
Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
## Config The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:azure.activitylogs and azure.activitylogs.operation_name :"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome: "success"