diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml new file mode 100644 index 000000000..f03f20c54 --- /dev/null +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2021/08/27" +maturity = "production" +updated_date = "2021/12/14" +integration = "azure" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts +previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly +configured, resulting in defense evasions and loss of security visibility. +""" +false_positives = [ + """ + Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Alert Suppression Rule Created or Modified" +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update", +] +risk_score = 21 +rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" +severity = "low" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and +event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/"