[New Rule] Azure Suppression Rule Created (#1666)

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Moved to correct directory.

* Suppression Rule Created

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update defense_evasion_suppression_rule_created.toml

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

rules/integrations/azure/defense_evasion_suppression_rule_created.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2021/08/27"
+maturity = "production"
+updated_date = "2021/12/14"
+integration = "azure"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
+previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly
+configured, resulting in defense evasions and loss of security visibility.
+"""
+false_positives = [
+    """
+    Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-25m"
+index = ["filebeat-*", "logs-azure*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Alert Suppression Rule Created or Modified"
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations",
+    "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update",
+]
+risk_score = 21
+rule_id = "f0bc081a-2346-4744-a6a4-81514817e888"
+severity = "low"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and 
+event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"