Unexpected Azure API calls indicating security alert suppression rule modification
Description
AlphaSOC detected creation or modification of a Microsoft Defender for Cloud
alert suppression rule via Microsoft.Security/alertsSuppressionRules/write.
Suppression rules silence specific security alerts, preventing them from
appearing in the Defender for Cloud interface. While organizations use
suppression rules for legitimate alert tuning, an attacker with sufficient
permissions may create a suppression rule to hide their ongoing activity from
the SOC.
Impact
Malicious suppression rules can blind security teams to ongoing attacks by silencing alerts about attacker activity. Critical detections covering lateral movement, credential abuse, or resource manipulation may be suppressed, allowing adversaries to operate undetected for an extended period.
Severity
| Severity | Condition |
|---|---|
Low | Alert suppression rule created or modified |
Medium | Anomalous alert suppression rule modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Security/alertsSuppressionRules/write
events. Identify the suppression rule name, the alert type being suppressed, and
the scope of the rule. Verify whether the change was authorized by the security
team. Check if the rule silences alerts related to attacker techniques currently
in use. If unauthorized, delete the suppression rule immediately, restore
correct alert coverage, and investigate the identity that created it for signs
of compromise.