Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.
Rule type: query
Risk score: 21
Runs every: 5m
Maximum alerts per execution: 100
- Continuous Monitoring
- Configuration Audit
- Austin Songer
Rule license: Elastic License v2
## Config The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome: "success"
Framework: MITRE ATT&CKTM