Azure Alert Suppression Rule Created or Modified
Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/08/27"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
13previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly
14configured, resulting in defense evasions and loss of security visibility.
15"""
16false_positives = [
17 """
18 Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user
19 agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users
20 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21 """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Alert Suppression Rule Created or Modified"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
33 "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update",
34]
35risk_score = 21
36rule_id = "f0bc081a-2346-4744-a6a4-81514817e888"
37severity = "low"
38tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and
44event.outcome: "success"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Runbook Deleted
- Application Removed from Blocklist in Google Workspace
- Azure Application Credential Modification
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created