Admin Submission Trend (FN)

Hunt Hypothesis

Adversaries may exploit admin submission false negatives to bypass detection and maintain persistent access within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and mitigate advanced persistent threats.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = CloudAppEvents
| where Timestamp >= TimeStart
| where ActionType contains "Submission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
let Admin_Malware_FN=baseQuery
| make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Malware_FN";
let Admin_Phish_FN=baseQuery
| make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Phish_FN";
let Admin_Spam_FN=baseQuery
| make-series Count= countif(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Spam_FN";
let Admin_Malware_URL_FN=baseQuery
| make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Malware_URL_FN";
let Admin_Malware_Attach_FN=baseQuery
| make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Malware_Attach_FN";
let Admin_Phish_URL_FN=baseQuery
| make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Phish_URL_FN";
let Admin_Phish_Attach_FN=baseQuery
| make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Phish_Attach_FN";
union Admin_Malware_FN,Admin_Phish_FN,Admin_Spam_FN,Admin_Malware_URL_FN,Admin_Malware_Attach_FN,Admin_Phish_URL_FN,Admin_Phish_Attach_FN
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 4ec96a3b-94b0-4662-8ee6-b95102e20430
name: Admin Submission Trend (FN)
description: |
  This query visualises the daily amount of admin false negative submission by submission type.
description-detailed: |
  This query visualises the daily amount of admin false negative submission by submission type.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = CloudAppEvents
  | where Timestamp >= TimeStart
  | where ActionType contains "Submission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
  let Admin_Malware_FN=baseQuery
  | make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Malware_FN";
  let Admin_Phish_FN=baseQuery
  | make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Phish_FN";
  let Admin_Spam_FN=baseQuery
  | make-series Count= countif(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Spam_FN";
  let Admin_Malware_URL_FN=baseQuery
  | make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Malware_URL_FN";
  let Admin_Malware_Attach_FN=baseQuery
  | make-series Count= countif(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Malware_Attach_FN";
  let Admin_Phish_URL_FN=baseQuery
  | make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Phish_URL_FN";
  let Admin_Phish_Attach_FN=baseQuery
  | make-series Count= countif(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Admin_Phish_Attach_FN";
  union Admin_Malware_FN,Admin_Phis

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Admin Submission Trend - FN.yaml)

False Positive Guidance

Scenario: Scheduled system maintenance job submits logs
Filter/Exclusion: Exclude submissions with submission_type = "system_maintenance" and source_tool = "logstash"
Scenario: Admin uses SIEM tool to submit test data for rule validation
Filter/Exclusion: Exclude submissions with source_tool = "splunk" and submission_reason = "rule_validation"
Scenario: Admin manually imports CSV data for reporting purposes
Filter/Exclusion: Exclude submissions with submission_type = "data_import" and source_tool = "excel"
Scenario: Automated backup process submits logs to the SIEM
Filter/Exclusion: Exclude submissions with source_tool = "backup_agent" and submission_type = "log_submission"
Scenario: Admin runs a script to generate synthetic data for training
Filter/Exclusion: Exclude submissions with submission_type = "synthetic_data" and source_tool = "python_script"