Adversaries may exploit admin submission states to bypass detection by manipulating false negative submissions, indicating potential evasion tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that evade traditional detection mechanisms.
KQL Query
CloudAppEvents
| where ActionType contains "AdminSubmission"
| extend Record = (parse_json(RawEventData)).RecordType,SubmissionState = parse_json(RawEventData).SubmissionState,SubmissionId=parse_json(RawEventData).SubmissionId,SubmissionType = parse_json(RawEventData).SubmissionType,SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where Record == 29 and SubmissionType in ("0","1","2")
| summarize count() by tostring(SubmissionState)
| render piechart
id: eb1a6d00-aa08-4e27-9eb4-47f4ac37ccb4
name: Admin Submissions by Submission State (FN)
description: |
This query visualises the total amount of admin false negative submissions by the state of the submission.
description-detailed: |
This query visualises the total amount of admin false negative submissions by the state of the submission.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType contains "AdminSubmission"
| extend Record = (parse_json(RawEventData)).RecordType,SubmissionState = parse_json(RawEventData).SubmissionState,SubmissionId=parse_json(RawEventData).SubmissionId,SubmissionType = parse_json(RawEventData).SubmissionType,SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where Record == 29 and SubmissionType in ("0","1","2")
| summarize count() by tostring(SubmissionState)
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Submission
Description: A legitimate scheduled job (e.g., using Ansible Tower, Jenkins, or Airflow) submits admin tasks as part of routine maintenance.
Filter/Exclusion: Exclude submissions with job_type or task_id matching known scheduled job identifiers (e.g., job_id = 'scheduled_maintenance_123').
Scenario: User Account Lockout Reset
Description: An admin resets a user account lockout via Microsoft Azure AD or AWS IAM, which may trigger the rule due to the admin action.
Filter/Exclusion: Exclude submissions with action_type = 'account_lockout_reset' or tool = 'Azure_AD'.
Scenario: System Health Check Submission
Description: A system health check tool (e.g., Puppet, Chef, or SaltStack) submits admin tasks to validate system status.
Filter/Exclusion: Exclude submissions with tool = 'Puppet' or task_name = 'system_health_check'.
Scenario: Compliance Audit Submission
Description: An admin submits a compliance audit report using Splunk, ELK Stack, or SIEM tools, which may be flagged as an admin submission.
Filter/Exclusion: Exclude submissions with tool = 'Splunk' or task_type = 'compliance_audit'.
Scenario: Password Policy Enforcement
Description: An admin enforces password policy changes via Active Directory or LDAP, which may be misclassified as a false negative submission.
Filter/Exclusion: Exclude submissions with action = 'password_policy_update' or source = 'AD'.