Microsoft.Security/alertsSuppressionRules/write
Azure
Microsoft.Security/alertsSuppressionRules/write
Event
Creates or updates a suppression rule in Microsoft Defender for Cloud, hiding matching security alerts.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud creates a suppression rule suppress-suspicious-rdp that suppresses Defender for Cloud’s RDP brute force suspected alert type for any inbound source IP — pre-empting alerts on Draco’s pending RDP-from-anywhere NSG rule.
{ "authorization": { "action": "Microsoft.Security/alertsSuppressionRules/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "alSup213ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100100100", "description": "", "eventDataId": "90000000-0000-4000-8000-000100100101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:32:01.7421005Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp/events/90000000-0000-4000-8000-000100100101/ticks/638798252617421005", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100100110", "operationName": { "value": "Microsoft.Security/alertsSuppressionRules/write", "localizedValue": "Create or update Alert Suppression Rule" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Security", "localizedValue": "Microsoft.Security" }, "resourceType": { "value": "Microsoft.Security/alertsSuppressionRules", "localizedValue": "Microsoft.Security/alertsSuppressionRules" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Created", "localizedValue": "Created (HTTP Status Code: 201)" }, "submissionTimestamp": "2026-04-15T18:32:02.2128443Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp", "message": "Microsoft.Security/alertsSuppressionRules/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"reason\":\"Approved exception per change CHG-2026-0415\",\"alertType\":\"RDPBruteForce\",\"state\":\"Enabled\",\"expirationDateUtc\":\"2027-04-15T00:00:00Z\",\"comment\":\"Suppress RDP brute force alerts on demiguise VMs while load testing\",\"suppressionAlertsScope\":{\"allOf\":[{\"field\":\"entities.host.azureID\",\"in\":[\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001\"]}]}}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...