Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.
Rule type: query
Risk score: 21
Runs every: 5m
Maximum alerts per execution: 100
- Domain: Cloud
- Data Source: Azure
- Use Case: Configuration Audit
- Tactic: Defense Evasion
- Austin Songer
Rule license: Elastic License v2
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome: "success"
Framework: MITRE ATT&CKTM