Adversaries may be using Teams users to submit false negatives or false positives to evade detection, leveraging the platform to mask malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics and prevent false reports from being used as a cover for persistent threats.
KQL Query
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
| where SubmissionContentType == "ChatMessage"
| summarize count() by P2Sender
| project P2Sender, TeamsMessages = count_
| top 10 by TeamsMessages desc
id: 2d8448f5-c0a2-46d7-a004-e062970ccb7b
name: Top 10 senders - Teams users submissions FN or FP
description: |
This query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
description-detailed: |
This query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
| where SubmissionContentType == "ChatMessage"
| summarize count() by P2Sender
| project P2Sender, TeamsMessages = count_
| top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Automated system message from Microsoft Teams integration
Description: A scheduled job or automation tool (e.g., Microsoft Power Automate, Azure DevOps, or a CI/CD pipeline) sends a message to a Teams channel as part of its workflow.
Filter/Exclusion: Exclude messages where the sender is a system account or service principal (e.g., @Microsoft Teams or @Microsoft), or use a filter on the sender_id field to exclude known automation accounts.
Scenario: User submitting a message as part of a security incident response
Description: A security analyst or SOC team member is testing or responding to a security incident by manually submitting a Teams message to a dedicated incident response channel.
Filter/Exclusion: Exclude messages where the sender is a known SOC team member or analyst (e.g., @security-team or @SOC-User), or use a filter on the user_principal_name field to exclude internal security roles.
Scenario: Regular administrative tasks in Teams (e.g., user onboarding, role assignment)
Description: An admin is using Teams to communicate with users during onboarding, role assignment, or other administrative tasks, which may trigger the rule.
Filter/Exclusion: Exclude messages where the sender is an admin account (e.g., @admin@domain.com) or use a filter on the user_type field to exclude administrative users.
Scenario: Scheduled report or alert delivery via Teams
Description: A scheduled report or alert from a SIEM, endpoint detection, or threat intelligence tool (e.g., Splunk, CrowdStrike, or Microsoft Sentinel) is sent to a Teams channel.
Filter/Exclusion: Exclude messages where the sender is a SIEM or security tool (e.g., @Splunk, @Microsoft Sentinel, or `@Crowd