LoFP LoFP / suppression rule being created may be performed by a system administrator.

Techniques

Sample rules

Azure Suppression Rule Created

Description

Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.

Detection logic

condition: selection
selection:
  operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE