Teams Admin submission of No Threats daily trend

Hunt Hypothesis

Adversaries may submit false positive Teams messages to mask legitimate activity and evade detection, leveraging T1562 to manipulate admin alerts. SOC teams should proactively hunt for this behavior to identify potential adversary attempts to suppress true threat indicators within their Azure Sentinel environment.

KQL Query

//Admin submission of false positive Teams message detections daily trend
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery=CloudAppEvents
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where ActionType == "AdminSubmissionSubmitted" and SubmissionContentType == "ChatMessage";
let Admin_Teams_FP=baseQuery
| make-series Count= countif(SubmissionType == "3") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Teams_FP";
union Admin_Teams_FP
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 1a942d90-1e14-4fe9-8ad2-8af56ed16279
name:  Teams Admin submission of No Threats daily trend
description: |
  This query visualises the daily amount of admin false positive Teams message submissions
description-detailed: |
  This query visualises the daily amount of admin false positive Teams message submissions
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
 //Admin submission of false positive Teams message detections daily trend
 let TimeStart = startofday(ago(30d));
 let TimeEnd = startofday(now());
 let baseQuery=CloudAppEvents
 | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
 | where ActionType == "AdminSubmissionSubmitted" and SubmissionContentType == "ChatMessage";
 let Admin_Teams_FP=baseQuery
 | make-series Count= countif(SubmissionType == "3") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
 | extend Details = "Admin_Teams_FP";
 union Admin_Teams_FP
 | project Count, Details, Timestamp
 | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: DefenseEvasion
Technique: T1562 — T1562

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin submission of No Threats daily trend.yaml)

False Positive Guidance

Scenario: Daily Admin Review of User Activity Reports
Description: A Teams admin regularly reviews user activity reports to ensure compliance, which may trigger false positive submissions.
Filter/Exclusion: Exclude submissions where the action field is review_user_activity and the user_role is admin.
Scenario: Scheduled Job for Message Archiving
Description: A scheduled job runs to archive old messages, which can result in false positive submissions due to bulk message processing.
Filter/Exclusion: Exclude submissions where the job_name field contains archive_old_messages and the source is scheduled_job.
Scenario: Admin Submission of Non-Threat Messages for Testing
Description: An admin submits a sample message to test the system, which may be flagged as a false positive.
Filter/Exclusion: Exclude submissions where the message_id is in a predefined test message list or where the submitter_role is admin and test_flag is set to true.
Scenario: Regular Compliance Audit Submission
Description: During a compliance audit, an admin submits messages for review, which may be incorrectly flagged as threats.
Filter/Exclusion: Exclude submissions where the audit_flag is set to true and the submitter_role is admin.
Scenario: Automated Message Cleanup by Compliance Tools
Description: A third-party compliance tool automatically cleans up messages, which can generate false positive submissions.
Filter/Exclusion: Exclude submissions where the source_tool is compliance_tool and the action is message_cleanup.