Top 10 senders of Admin Teams message submissions FN

Hunt Hypothesis

Adversaries may submit false negative reports in Microsoft Teams to mask malicious activity or evade detection by administrators. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics and uncover hidden threats.

KQL Query

CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("2","1")
| summarize count() by P2Sender
| project P2Sender, TeamsMessages = count_
| top 10 by TeamsMessages desc

Analytic Rule Definition

id: 49071a21-fbb6-472f-932f-5b6ca1a25883
name: Top 10 senders of  Admin Teams message submissions FN
description: |
  This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
description-detailed: |
 This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == "AdminSubmissionSubmitted"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
  | where SubmissionContentType == "ChatMessage" and SubmissionType in ("2","1")
  | summarize count() by P2Sender
  | project P2Sender, TeamsMessages = count_
  | top 10 by TeamsMessages desc
version: l.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FN.yaml)

False Positive Guidance

• Scenario: Admins use Microsoft Teams to send routine status updates to the Teams Admin Center or Microsoft 365 Admin Center.
  Filter/Exclusion: Exclude messages sent to URLs containing /admin or /settings in the to field.

• Scenario: Power Automate or PowerShell scripts are used to automate reporting tasks, sending messages to Microsoft Teams channels for logging.
  Filter/Exclusion: Exclude messages sent from known automation accounts or service principals (e.g., powerautomate@domain.com).

• Scenario: System Center Configuration Manager (SCCM) or Intune sends alerts or notifications to a Teams channel for incident reporting.
  Filter/Exclusion: Exclude messages from known system accounts or service accounts (e.g., sccm@domain.com, intune@domain.com).

• Scenario: Azure DevOps or GitHub Actions sends build or deployment status updates to a Teams channel as part of CI/CD pipelines.
  Filter/Exclusion: Exclude messages from known CI/CD service accounts (e.g., azuredevops@domain.com, github-actions@domain.com).

• Scenario: Microsoft Endpoint Manager (MEM) sends notifications about device compliance or security alerts to a Teams channel for monitoring.
  Filter/Exclusion: Exclude messages from the MEM service account or Microsoft Graph API-related senders.