Skip to content

Latest commit

 

History

History
27 lines (25 loc) · 514 Bytes

SupressionRuleCreations.md

File metadata and controls

27 lines (25 loc) · 514 Bytes
Raw

Detect supression rule creations

Defender For Endpoint

CloudAppEvents
| where ActionType == "Write AlertsSuppressionRules"
| project
     Timestamp,
     ActionType,
     Application,
     AccountId,
     AccountDisplayName,
     CreatedSupresionRule = ObjectName

Sentinel

CloudAppEvents
| where ActionType == "Write AlertsSuppressionRules"
| project
     TimeGenerated,
     ActionType,
     Application,
     AccountId,
     AccountDisplayName,
     CreatedSupresionRule = ObjectName