Admin Submissions by Detection Type

Hunt Hypothesis

Admins submitting emails as false positives may indicate an adversary attempting to bypass email filtering mechanisms by mimicking legitimate administrative activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent unauthorized access.

KQL Query

CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
"Other"),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType == "3"
| summarize count() by PolicyOverride,DetectionVerdict,Admin_SubmissionType
| project PolicyOverride, DetectionVerdict,Admin_SubmissionType, Emails = count_
| top 10 by Emails desc
// | render piechart // Uncomment this line to render as a graph

Analytic Rule Definition

id: 4d525db4-ce23-49f7-844e-d06db21cdfa9
name: Admin Submissions by Detection Type
description: |
  This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
description-detailed: |
  This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == "AdminSubmissionSubmitted"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
  | extend Admin_SubmissionType=
  iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
  "Other"),
  P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
  | where SubmissionContentType == "Mail" and SubmissionType == "3"
  | summarize count() by PolicyOverride,DetectionVerdict,Admin_SubmissionType
  | project PolicyOverride, DetectionVerdict,Admin_SubmissionType, Emails = count_
  | top 10 by Emails desc
  // | render piechart // Uncomment this line to render as a graph
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Type.yaml)

False Positive Guidance

Scenario: Scheduled System Backup Job Submission
Description: A scheduled backup job (e.g., via Veeam, Commvault, or native OS tools) submits emails as part of its operation, which may be flagged due to the email submission action.
Filter/Exclusion: email_subject contains "backup" OR email_sender contains "[email protected]"
Scenario: Admin-Initiated Email Archiving Task
Description: An admin uses an email archiving tool (e.g., Microsoft Exchange Archiving, Mimecast) to archive emails, which may trigger the rule due to the submission of archived emails.
Filter/Exclusion: email_subject contains "archive" OR email_sender contains "[email protected]"
Scenario: User-Submitted Email for Review by Admin
Description: An admin manually reviews an email submission (e.g., via Microsoft Defender for Office 365 or CrowdStrike Falcon) and submits it for further analysis, which may be flagged as a false positive.
Filter/Exclusion: email_sender contains "[email protected]" OR email_subject contains "review"
Scenario: Automated Email Notification from Monitoring Tools
Description: An admin tool (e.g., Nagios, Splunk, or Datadog) sends automated email notifications, which may be flagged due to the email submission action.
Filter/Exclusion: email_subject contains "alert" OR email_sender contains "[email protected]"
Scenario: Email Submission for Threat Intelligence Sharing
Description: An admin submits an email to a threat intelligence platform (e.g., Mandiant, Recorded Future, or CrowdStrike) for analysis, which may be flagged as a false positive.
Filter/Exclusion: email_sender contains "[email protected]" OR email_subject contains "threat intel"