Status of submissions

Hunt Hypothesis

Adversaries may use this rule to check the status of submitted indicators or artifacts, potentially to assess the effectiveness of detection efforts or to evade detection. SOC teams should proactively hunt for this behavior to identify potential adversary reconnaissance or evasion tactics in their Azure Sentinel environment.

KQL Query

CloudAppEvents
| where Timestamp > ago(30d) 
| extend Record= (parse_json(RawEventData)).RecordType 
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
| extend UserKey = (parse_json(RawEventData)).UserKey 
| where Record == 29 
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission" 
| summarize count() by tostring(SubmissionState) 
| sort by count_

Analytic Rule Definition

id: 1c390fd7-2668-4445-9b7d-055f3851be5f
name: Status of submissions
description: |
  This query helps reviewing status of submissions
description-detailed: |
  This query helps reviewing status of submissions in Defender for Office 365.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where Timestamp > ago(30d) 
  | extend Record= (parse_json(RawEventData)).RecordType 
  | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
  | extend UserKey = (parse_json(RawEventData)).UserKey 
  | where Record == 29 
  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" 
  | summarize count() by tostring(SubmissionState) 
  | sort by count_
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Status of submissions.yaml)

False Positive Guidance

• Scenario: A system administrator is manually checking the status of a submission via the Microsoft Defender for Endpoint (MDE) portal as part of a routine security review.
  Filter/Exclusion: Exclude submissions where the source is the MDE portal or where the user is a known admin account.

• Scenario: A scheduled job runs to generate daily compliance reports using Microsoft Sentinel and queries submission statuses as part of the report generation process.
  Filter/Exclusion: Exclude submissions where the source is a known report generation service or where the event is triggered by a scheduled task with a specific name.

• Scenario: An endpoint protection policy update is being deployed via Microsoft Intune, which includes checking submission statuses to validate the update process.
  Filter/Exclusion: Exclude submissions where the source is related to Intune or where the event is associated with a policy update task.

• Scenario: A third-party security tool is integrated with the enterprise’s SIEM and periodically checks submission statuses as part of its monitoring workflow.
  Filter/Exclusion: Exclude submissions where the source is a known third-party tool or where the event is tagged with a specific integration identifier.

• Scenario: A system health check is performed by the Windows Defender Antivirus service to verify submission statuses during a routine scan.
  Filter/Exclusion: Exclude submissions where the source is the Windows Defender service or where the event is related to a scheduled scan task.