New TABL Items | SOC Hunt Feed

Hunt Hypothesis

Adversaries may add new items to the Tenant/Allow Block List (TABL) to evade detection by blocking known malicious domains or files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics and detect malicious activity that bypasses standard security controls.

KQL Query

CloudAppEvents
| where ActionType == "New-TenantAllowBlockListItems"
| extend Parameters = RawEventData.Parameters
| mv-apply Parameters on ( 
  extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value)
  | summarize Parameters=make_bag(Out)
  )
| extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes
| extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy))
| project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId
| order by Timestamp desc

Analytic Rule Definition

id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
name: New TABL Items
description: |
  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
description-detailed: |
  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  CloudAppEvents
  | where ActionType == "New-TenantAllowBlockListItems"
  | extend Parameters = RawEventData.Parameters
  | mv-apply Parameters on ( 
    extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value)
    | summarize Parameters=make_bag(Out)
    )
  | extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes
  | extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy))
  | project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId
  | order by Timestamp desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountUpn
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: DefenseEvasion
Technique: T1562 — T1562

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/New TABL Items.yaml)

False Positive Guidance

Scenario: Scheduled TABL Sync Job
Description: A scheduled job runs to synchronize the TABL with an external source (e.g., Azure AD group membership or third-party identity provider).
Filter/Exclusion: Check for the presence of a known sync job name or process (e.g., Microsoft.Office365.SyncJob) in the event or log source.
Scenario: Admin Manual TABL Update
Description: An admin manually updates the TABL via the Microsoft 365 Admin Center or PowerShell.
Filter/Exclusion: Filter events where the user is a known admin (e.g., UserPrincipalName matches an admin group like Administrators) or where the action is performed via a known admin tool (e.g., Set-AdminRoleAssignment or Set-User).
Scenario: Conditional Access Policy Update
Description: A Conditional Access policy is updated that includes changes to the TABL, which may trigger a detection.
Filter/Exclusion: Filter events where the source is a Conditional Access policy update (e.g., PolicyName contains “Conditional Access”) or where the action is initiated via the Azure AD portal.
Scenario: Integration with Microsoft Purview
Description: A data classification or sensitivity label policy in Microsoft Purview is updated, which may include changes to the TABL.
Filter/Exclusion: Filter events where the source is related to Microsoft Purview (e.g., PolicyType is Microsoft Purview) or where the action is initiated via the Microsoft Purview admin center.
Scenario: Third-Party Identity Provider Sync
Description: A third-party identity provider (e.g., Okta, Azure AD B2C) syncs user data, which may result in new entries being added to the TABL.
*Filter/