Top policies performing admin overrides

Hunt Hypothesis

Adversaries may use admin overrides to bypass policy restrictions and gain unauthorized access or control within the environment. SOC teams should proactively hunt for this behavior to identify potential privilege escalation or bypass attempts that could lead to persistent or lateral movement.

KQL Query

EmailEvents  
| where OrgLevelPolicy!="" and OrgLevelAction == "Allow"  //"Block"
| extend OrgPolicy = split(OrgLevelPolicy, "(", 0)
| summarize count() by tostring(OrgPolicy)
| render piechart

Analytic Rule Definition

id: c73ae295-d120-4f79-aaed-de005f766ad2
name: Top policies performing admin overrides
description: |
  This query helps in reviewing top policies for admin overrides (Allow/Block)
description-detailed: |
  This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents  
  | where OrgLevelPolicy!="" and OrgLevelAction == "Allow"  //"Block"
  | extend OrgPolicy = split(OrgLevelPolicy, "(", 0)
  | summarize count() by tostring(OrgPolicy)
  | render piechart
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Overrides/Top policies performing admin overrides.yaml)

False Positive Guidance

• Scenario: Scheduled job to generate compliance reports
  Description: A scheduled job runs daily to generate compliance reports, which may trigger admin overrides to allow certain actions.
  Filter/Exclusion: process.name != "compliance_report_generator.exe"

• Scenario: System update or patch deployment
  Description: During a system update, administrators may override policies to allow temporary access to update tools or patch management software.
  Filter/Exclusion: process.name != "patch_manager.exe" OR process.name != "update_agent.exe"

• Scenario: User account provisioning or deprovisioning
  Description: When provisioning or deprovisioning user accounts, administrators may override policies to allow access to Active Directory tools or identity management systems.
  Filter/Exclusion: process.name != "ad_provisioning_tool.exe" OR process.name != "identity_manager.exe"

• Scenario: Security tool configuration or tuning
  Description: Security analysts may override policies to configure or tune endpoint detection and response (EDR) tools, such as CrowdStrike or Microsoft Defender.
  Filter/Exclusion: process.name != "crowdstrike_falcon.exe" OR process.name != "microsoft_defender.exe"

• Scenario: Backup and restore operations
  Description: During backup or restore operations, administrators may override policies to allow access to backup tools or restore processes.
  Filter/Exclusion: process.name != "backup_tool.exe" OR process.name != "restore_agent.exe"