{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-security-center/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure","Azure Security Center"],"_cs_severities":["low"],"_cs_tags":["azure","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or modification of alert suppression rules within Azure environments. Alert suppression rules are designed to filter out known false positives or low-priority alerts, reducing noise and improving the efficiency of security operations. However, malicious actors can abuse these rules to hide their activity by suppressing alerts related to their attacks. This rule focuses on successful \u0026quot;MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\u0026quot; operations, indicating a change to the alert suppression configuration. Detecting these changes allows security teams to monitor for unauthorized or suspicious modifications that could lead to a significant reduction in security visibility. This rule is applicable to organizations using Azure and relies on the availability of Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account through compromised credentials or by exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies existing alert rules and their configurations within the Azure Security Center.\u003c/li\u003e\n\u003cli\u003eUsing their access, the attacker creates a new alert suppression rule or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe suppression rule is configured to target specific alerts related to the attacker's activities. The \u003ccode\u003eMICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\u003c/code\u003e operation is executed.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record a successful write event for the alert suppression rule.\u003c/li\u003e\n\u003cli\u003eWith the suppression rule active, alerts related to the attacker's actions are no longer triggered, effectively evading detection.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, such as data exfiltration or resource exploitation, without triggering security alerts.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, knowing their activities are now less likely to be detected due to the alert suppression.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of alert suppression rules can lead to a significant decrease in security visibility within Azure environments. Attackers can operate undetected, potentially leading to data breaches, unauthorized resource access, and other malicious activities. The impact is a function of how long the attacker can remain undetected while they are actively suppressing alerts related to their activities. If critical alerts are suppressed, it can result in substantial financial losses, reputational damage, and regulatory compliance violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Alert Suppression Rule Created or Modified\u0026quot; to your SIEM and tune for your environment to detect unauthorized changes to alert suppression rules.\u003c/li\u003e\n\u003cli\u003eEnable Azure Activity Logs to ensure the necessary data is available for the Sigma rule to function (reference: log source in the Sigma rule).\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions for creating or modifying suppression rules to ensure only authorized personnel can make such changes. (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of alert suppression rule creation or modification to determine if they are legitimate and authorized (reference: Sigma rule description).\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of expected changes and create exceptions for known maintenance periods or personnel (reference: False positive analysis section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-alert-suppression/","summary":"Detection of Azure alert suppression rule creation or modification events, which can be used by attackers to disable security alerts and evade detection.","title":"Azure Alert Suppression Rule Created or Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-alert-suppression/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Security Center","version":"https://jsonfeed.org/version/1.1"}