LoFP / suppression rule created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Suppression Rule Created

• source: sigma
• technicques:

Description

Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.

Detection logic

condition: selection
selection:
  operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE