Total Submissions by Submission Type

Hunt Hypothesis

Adversaries may submit malicious files or commands through legitimate submission types to evade detection, leveraging T1566 techniques to exfiltrate data or execute payloads. SOC teams should proactively hunt for unusual submission patterns in Azure Sentinel to identify potential covert exfiltration or command-and-control activities.

KQL Query

CloudAppEvents 
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| summarize count() by ActionType
| render piechart

Analytic Rule Definition

id: 9fd55150-611d-400c-a27f-b18f33c18a41
name: Total Submissions by Submission Type
description: |
  Total Submissions by Submission Type
description-detailed: |
  Total Submissions by Submission Type in Defender for Office 365
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
  | summarize count() by ActionType
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Total Submissions by Submission Type.yaml)

False Positive Guidance

Scenario: System update job submits logs to the SIEM
Description: A scheduled job (e.g., systemd-tmpfiles-setup or logrotate) submits logs to the SIEM as part of routine maintenance.
Filter/Exclusion: Exclude submissions with source field equal to "logrotate" or "systemd" and event_type equal to "log_submission".
Scenario: Admin manually submits a test file via the SIEM UI
Description: A security analyst manually uploads a test file (e.g., a sample malware or benign file) for analysis through the SIEM’s file submission interface.
Filter/Exclusion: Exclude submissions with user field equal to "security_analyst" and submission_type equal to "manual_test_file".
Scenario: Automated backup process submits backup files
Description: A backup tool (e.g., Veeam, Commvault, or rsync) submits backup files to the SIEM as part of its job.
Filter/Exclusion: Exclude submissions with source field equal to "veeam" or "commvault" and file_type equal to "backup".
Scenario: SIEM configuration import triggers submission
Description: When importing a new rule or configuration into the SIEM (e.g., via Splunk, QRadar, or IBM X-Force), the system may submit a file or event as part of the import process.
Filter/Exclusion: Exclude submissions with source field equal to "siem_config_import" or event_type equal to "configuration_import".
Scenario: Scheduled log aggregation job submits logs
Description: A log aggregation tool (e.g., Fluentd, Logstash, or Graylog) submits logs to the SIEM