Admin Submission Trend (FP)

Hunt Hypothesis

Adversaries may submit false positives to evade detection and mask malicious activity within the environment. SOC teams should proactively hunt for this behavior to identify potential obfuscation tactics and uncover hidden threats in Azure Sentinel.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = CloudAppEvents
| where Timestamp >= TimeStart
| where ActionType contains "Submission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
let Admin_Email_FP=baseQuery
| make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Email_FP";
let Admin_URL_FP=baseQuery
| make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_URL_FP";
let Admin_Attach_FP=baseQuery
| make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Attach_FP";
union Admin_Email_FP,Admin_URL_FP,Admin_Attach_FP
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 8220d7f5-47e8-4040-b701-16bade7fa218
name: Admin Submission Trend (FP)
description: |
  This query visualises the daily amount of admin false positive submission by submission type.
description-detailed: |
  This query visualises the daily amount of admin false positive submission by submission type.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = CloudAppEvents
  | where Timestamp >= TimeStart
  | where ActionType contains "Submission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
  let Admin_Email_FP=baseQuery
  | make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Email_FP";
  let Admin_URL_FP=baseQuery
  | make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_URL_FP";
  let Admin_Attach_FP=baseQuery
  | make-series Count= countif(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Attach_FP";
  union Admin_Email_FP,Admin_URL_FP,Admin_Attach_FP
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Admin Submission Trend - FP.yaml)

False Positive Guidance

Scenario: Scheduled Job Submission
Description: A legitimate scheduled job (e.g., SQL Server Agent Job, Ansible Tower Scheduled Task, or Jenkins Cron Job) submits a configuration change that matches the submission type criteria.
Filter/Exclusion: Exclude submissions with job_id or task_id fields that match known scheduled job identifiers.
Scenario: System Maintenance Task
Description: An admin runs a system maintenance task (e.g., Windows Task Scheduler or Linux cron job) that results in a submission matching the rule’s criteria.
Filter/Exclusion: Exclude submissions with source_process or command_line fields containing known maintenance tools or scripts (e.g., taskmgr.exe, cron, systemd).
Scenario: User-Initiated Configuration Update
Description: An admin manually updates a configuration file (e.g., via Powershell, Ansible, or SaltStack) that triggers a submission matching the rule.
Filter/Exclusion: Exclude submissions with user_agent or submission_type fields indicating manual configuration changes (e.g., Ansible, Salt, PowerShell).
Scenario: Log Aggregation Tool Submission
Description: A log aggregation tool (e.g., Splunk, ELK Stack, or Graylog) submits logs that match the submission type, leading to a false positive.
Filter/Exclusion: Exclude submissions from known log aggregation tools by checking the source_ip or tool_name field against known log server IPs or names.
Scenario: Automated Patching Tool Submission
Description: An automated patching tool (e.g., Microsoft Update, WSUS, or Chef) submits a change that triggers the rule.
Filter/Exclusion: