<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Security Center - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-security-center/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-security-center/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Alert Suppression Rule Created or Modified</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-alert-suppression/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-alert-suppression/</guid><description>Detection of Azure alert suppression rule creation or modification events, which can be used by attackers to disable security alerts and evade detection.</description><content:encoded><![CDATA[<p>This detection rule identifies the creation or modification of alert suppression rules within Azure environments. Alert suppression rules are designed to filter out known false positives or low-priority alerts, reducing noise and improving the efficiency of security operations. However, malicious actors can abuse these rules to hide their activity by suppressing alerts related to their attacks. This rule focuses on successful &quot;MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE&quot; operations, indicating a change to the alert suppression configuration. Detecting these changes allows security teams to monitor for unauthorized or suspicious modifications that could lead to a significant reduction in security visibility. This rule is applicable to organizations using Azure and relies on the availability of Azure Activity Logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure account through compromised credentials or by exploiting a vulnerability.</li>
<li>The attacker identifies existing alert rules and their configurations within the Azure Security Center.</li>
<li>Using their access, the attacker creates a new alert suppression rule or modifies an existing one.</li>
<li>The suppression rule is configured to target specific alerts related to the attacker's activities. The <code>MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE</code> operation is executed.</li>
<li>The Azure Activity Logs record a successful write event for the alert suppression rule.</li>
<li>With the suppression rule active, alerts related to the attacker's actions are no longer triggered, effectively evading detection.</li>
<li>The attacker continues their malicious activities, such as data exfiltration or resource exploitation, without triggering security alerts.</li>
<li>The attacker maintains persistence, knowing their activities are now less likely to be detected due to the alert suppression.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of alert suppression rules can lead to a significant decrease in security visibility within Azure environments. Attackers can operate undetected, potentially leading to data breaches, unauthorized resource access, and other malicious activities. The impact is a function of how long the attacker can remain undetected while they are actively suppressing alerts related to their activities. If critical alerts are suppressed, it can result in substantial financial losses, reputational damage, and regulatory compliance violations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Alert Suppression Rule Created or Modified&quot; to your SIEM and tune for your environment to detect unauthorized changes to alert suppression rules.</li>
<li>Enable Azure Activity Logs to ensure the necessary data is available for the Sigma rule to function (reference: log source in the Sigma rule).</li>
<li>Review and update access controls and permissions for creating or modifying suppression rules to ensure only authorized personnel can make such changes. (reference: Overview section).</li>
<li>Investigate any identified instances of alert suppression rule creation or modification to determine if they are legitimate and authorized (reference: Sigma rule description).</li>
<li>Establish a baseline of expected changes and create exceptions for known maintenance periods or personnel (reference: False positive analysis section).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>defense-evasion</category><category>cloud</category></item></channel></rss>