Azure Alert Suppression Rule Created or Modified

Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/08/27"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
11previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly
12configured, resulting in defense evasions and loss of security visibility.
13"""
14false_positives = [
15    """
16    Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user
17    agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users
18    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Alert Suppression Rule Created or Modified"
26note = """## Setup
27
28The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
31    "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update",
32]
33risk_score = 21
34rule_id = "f0bc081a-2346-4744-a6a4-81514817e888"
35severity = "low"
36tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and
42event.outcome: "success"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1562"
50name = "Impair Defenses"
51reference = "https://attack.mitre.org/techniques/T1562/"
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top