Everything you need to know about Azure Security Center Alert Suppression

Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.

In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.

Use Case

As introduced from the beginning, Suppression Alert allows you to dismiss an alert that you have identified as false positive but keep being generated from Azure Security Center many times. Once it is a false positive what you normally do is to dismiss that alert so it disappears in Azure Security Center’s Alert list until you filter dismissed alerts.

With Suppression alert, you do not have to do that job anymore. Instead, it helps you dismiss the alert based on pre-defined rule. There are use cases that Suppression Alert feature is helpful:

  • Dismiss network-related alert: some alerts such as Traffic detected from IP addresses recommended for blocking or A logon from a malicious IP has been detected would need to be dismissed if you know the source of IP is a trusted one.
  • Dismiss storage account related alert: some alerts such as Access from an unusual location to a storage blob container or Anonymous access from storage account would need to be dismissed if you know that a storage account stores public data (media, photo for public website).
  • Dismiss penetration or red team testing: you may create a lot of noisy alerts from doing pentest or red team activity. Setting an alert suppression in a specific scope of testing is good in order to reduce noisy and false positive alert.
  • Dismiss ASC built-in feature: a feature like Adaptive Application Control alert is pretty noisy if you don’t have a good whitelist setup. This can be seen in a large development environment when developers install tools or open-sources for their need.

Role-based Access Control

Azure Security Center Alert Suppression requires you to have Owner, Contributor or Security Admin role on subscription scope to manage (Create, Read, Update, Delete) rule.

ROLECREATEREADUPDATEDELETE
Subscription OwnerYesYesYesYes
Subscription ContributorYesYesYesYes
Subscription ReaderNoYesNoNo
Security AdminYesYesYesYes
Security ReaderNoYesNoNo

Deployment Overview

Alert Suppression rule can be created and deploy via Azure Portal or programmatically through REST API call. In this article we will explore both options to work on Alert Suppression.

Azure Portal

You can access to Alert Suppression navigation from this link

On Suppression rules (Preview) page, click Create new suppression rule.

You can click […] on a specific alert and select Create a suppression alert.

On the right panel you can start setting you a rule. Let’s pick one of alerts in my subscription called PREVIEW – Website is tagged as malicious in threat intelligence feed.

Under Subscription you can select a single subscription or multiple one. If you choose multiple subscriptions rules will be created for all subscriptions. This is helpful when your tenant has more than one subscription.

Under Alerts there are two options:

  • Custom: only list recent alerts on your subscription.
  • All: this option allows you to apply the rule to all alerts no matter what the alert is.

Under Entities, you can set the rule condition. Since I know my website (azsec) doesn’t have any malicious I would put its resource ID in the rule condition.

Under Rule details, you can name the rule (without any space), choose State (Enabled) and select a reason for the suppression rule.

Before applying to create a rule you can test the rule by clicking Simulate. This feature allows you to test on past alerts (but not actually dismiss them).

To see all dismissed alerts you need to filter.

REST API

Working on Azure Portal should be used normally for testing and evaluation. For large scale deployment or in a DevOps environment everything is encouraged to be as code so it would be good to experiment and work on REST API or any supported built-in module that Microsoft provides. As of this article there is not any cmdlet in Az.Security (PowerShell) or az security for the Alert Suppression feature. Therefore, REST API would be an approach.

In this section, let’s bring an advanced case – your Red team would like to test Azure Security Center as well as Windows Defender on several Azure virtual machines. They created an EICAR test which generated several noisy alerts. To dismiss EICAR alert automatically, my rule should contain two conditions basically:

  • Host Name: Red team should register host to be tested.
  • Malware Name: would be Virus:DOS/EICAR_Test_File.

Your rule would look like as follows:

{
    "name": "AzSec_EICAR_Testing_Rule",
    "properties": {
        "alertType": "AntimalwareActionTaken",
        "state": "Enabled",
        "reason": "Other",
        "commnent": "Red Team testing EICAR",
        "suppressionAlertsScope": {
            "allOf": [
                {
                    "field": "entities.host.hostname",
                    "in": [
                        "appdev-vm",
                        "red-vm"
                    ]
                },
                {
                    "field": "entities.malware.name",
                    "contains": "EICAR"
                }
            ]
        }
    }
}

To make a valid and accepted rule you’d need to know instance name of the alertType . You can check it by calling Azure Security Center’s Get/List API or going to Log Analytics workspace to check AlertType field.

Use the following request Uri for creating a new alert suppression rule:

https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Security/alertsSuppressionRules/$($RuleName)?api-version=2019-01-01-preview
  • SubscriptionId: the target subscription you would like to create an alert suppression rule
  • RuleName: name of the alert suppression rule. It must be unique.

Use sample script from here to create a new alert suppression rule.

AzSec has written several scripts here for testing Azure Security Center Alert Suppression API. Check this out.

FAQ

If I use built-in Azure Security Center incident creation rule in Azure Sentinel, does Azure Sentinel create an incident for dismissed alert?

Azure Sentinel will not create incidents for dismissed alerts from Azure Security Center. You would still see alert in Log Analytics workspace though.

Do I get email notification for dismissed alert?

Email notifications are not sent for dismissed alert.

Is there any support for ARM template?

As of this article alert suppression rule can be created using Azure Portal or REST API.

Is there any support for anyOf (OR) condition?

As of this article, only allOf (ALL) is supported.

What is maximum number of rules I can deploy per subscription?

TBD

Conclusion

Alert Suppression in Azure Security Feature is a helpful feature. It helps you filter and reduce noisy alerts which you are familiar with and believe they are false positive. You need to verify and check potential impact for every security alert suppression rule you make for your environment.

Here are some references:

This entry was posted in Azure Security Center and tagged , . Bookmark the permalink.

Leave a Reply