Adversaries may exploit admin submission mechanisms to bypass authentication and gain unauthorized access by submitting crafted false positives. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential stuffing or privilege escalation attempts masked as legitimate admin actions.
KQL Query
CloudAppEvents
| where ActionType contains "Submission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Email_FP",
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_URL_FP",
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Attach_FP",
"Other")))
| where Admin_SubmissionType!="Other"
| summarize count() by Admin_SubmissionType
| render piechart
id: 6f45e3cc-e810-43ce-a8df-289aaa2e0ca2
name: Admin Submissions by Submission Type (FP)
description: |
This query visualises the total amount of admin false positive submission by submission type.
description-detailed: |
This query visualises the total amount of admin false positive submission by submission type in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType contains "Submission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Email_FP",
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_URL_FP",
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Attach_FP",
"Other")))
| where Admin_SubmissionType!="Other"
| summarize count() by Admin_SubmissionType
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Submission
Description: A legitimate scheduled job (e.g., rsync, cron, or Ansible playbook) is configured to submit admin tasks that match the rule’s criteria.
Filter/Exclusion: Exclude submissions with source_type = "scheduled_job" or job_name containing known job names like backup_job, system_update, or log_rotation.
Scenario: User-Initiated Admin Task via GUI
Description: An admin user performs a legitimate task (e.g., configuring a firewall rule via iptables, managing Zabbix alerts, or editing Nagios configurations) through a GUI tool, which may trigger the rule.
Filter/Exclusion: Exclude submissions where user_agent contains “GUI” or tool_name is iptables, Zabbix, or Nagios.
Scenario: System Maintenance via CLI Tools
Description: System maintenance tasks (e.g., using systemd, init.d, or Chef/Puppet scripts) may generate admin submission events that match the rule.
Filter/Exclusion: Exclude submissions with command_line containing systemd, init.d, chef-client, or puppet agent.
Scenario: Log File Rotation or Archiving
Description: Log rotation tools like logrotate or rsyslog may submit admin tasks that are flagged as false positives.
Filter/Exclusion: Exclude submissions with command_line containing logrotate, rsyslog, or logrotate.conf.
Scenario: Database Backup or Restore Operations
Description: Database management tasks (e.g., using mysqldump, pg_dump, or MongoDB backup tools) may generate admin submission events that trigger the rule