Number of unique accounts performing Teams message User submissions

Hunt Hypothesis

This query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives

KQL Query

CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage"
| summarize dcount(SubmittedBy) 

Analytic Rule Definition

id: 489ad959-48eb-4c34-bed6-764cfd39214d
name: Number of unique accounts performing Teams message User  submissions
description: |
  This query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
description-detailed: |
 This query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == "UserSubmission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
  | where SubmissionContentType == "ChatMessage"
  | summarize dcount(SubmittedBy) 
version: l.0.0

Required Data Sources

False Positive Guidance

• Scenario: Automated Scheduled Job for Status Updates
  Description: A

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message User submissions.yaml)