Skip to content

Microsoft.Security/alertsSuppressionRules/write

Azure

Microsoft.Security/alertsSuppressionRules/write

service: Azure - Microsoft Defender for Cloud
techniques:

Event

Creates or updates a suppression rule in Microsoft Defender for Cloud, hiding matching security alerts.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud creates a suppression rule suppress-suspicious-rdp that suppresses Defender for Cloud’s RDP brute force suspected alert type for any inbound source IP — pre-empting alerts on Draco’s pending RDP-from-anywhere NSG rule.

{
"authorization": {
"action": "Microsoft.Security/alertsSuppressionRules/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "alSup213ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100100100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100100101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:32:01.7421005Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp/events/90000000-0000-4000-8000-000100100101/ticks/638798252617421005",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100100110",
"operationName": {
"value": "Microsoft.Security/alertsSuppressionRules/write",
"localizedValue": "Create or update Alert Suppression Rule"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Security",
"localizedValue": "Microsoft.Security"
},
"resourceType": {
"value": "Microsoft.Security/alertsSuppressionRules",
"localizedValue": "Microsoft.Security/alertsSuppressionRules"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"submissionTimestamp": "2026-04-15T18:32:02.2128443Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Created",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/alertsSuppressionRules/suppress-suspicious-rdp",
"message": "Microsoft.Security/alertsSuppressionRules/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"reason\":\"Approved exception per change CHG-2026-0415\",\"alertType\":\"RDPBruteForce\",\"state\":\"Enabled\",\"expirationDateUtc\":\"2027-04-15T00:00:00Z\",\"comment\":\"Suppress RDP brute force alerts on demiguise VMs while load testing\",\"suppressionAlertsScope\":{\"allOf\":[{\"field\":\"entities.host.azureID\",\"in\":[\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001\"]}]}}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...