KQL Search

Query Details

Supression Rule Creations

Query

# Detect supression rule creations

### Defender For Endpoint

```
CloudAppEvents
| where ActionType == "Write AlertsSuppressionRules"
| project
     Timestamp,
     ActionType,
     Application,
     AccountId,
     AccountDisplayName,
     CreatedSupresionRule = ObjectName
```
### Sentinel
```
CloudAppEvents
| where ActionType == "Write AlertsSuppressionRules"
| project
     TimeGenerated,
     ActionType,
     Application,
     AccountId,
     AccountDisplayName,
     CreatedSupresionRule = ObjectName
```

Explanation

The query is looking for events where a suppression rule is created in either Defender for Endpoint or Sentinel. It retrieves the timestamp or time generated, the action type, application, account ID, account display name, and the name of the created suppression rule.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

CloudAppEvents,ActionType,Write,AlertsSuppressionRules,project,Timestamp,Application,AccountId,AccountDisplayName,CreatedSupresionRule,TimeGenerated,ObjectName

Operators

where==project

KQL Search

Supression Rule Creations

Query

Explanation

Details

Actions