Admin Submissions by Submission State (FP)

Hunt Hypothesis

Adversaries may exploit admin submission states to bypass detection by manipulating false positives, leveraging T1566 to evade monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent false positives from masking malicious activity.

KQL Query

CloudAppEvents
| where ActionType contains "AdminSubmission"
| extend Record = (parse_json(RawEventData)).RecordType,SubmissionState = parse_json(RawEventData).SubmissionState,SubmissionId=parse_json(RawEventData).SubmissionId,SubmissionType = parse_json(RawEventData).SubmissionType,SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where Record == 29 and SubmissionType == "3"
| summarize count() by tostring(SubmissionState)
| render piechart

Analytic Rule Definition

id: 598e2ee8-8d1d-4ded-998e-52cc43cf1160
name: Admin Submissions by Submission State (FP)
description: |
  This query visualises the total amount of admin false positive submissions by the state of the submission.
description-detailed: |
  This query visualises the total amount of admin false positive submissions by the state of the submission.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType contains "AdminSubmission"
  | extend Record = (parse_json(RawEventData)).RecordType,SubmissionState = parse_json(RawEventData).SubmissionState,SubmissionId=parse_json(RawEventData).SubmissionId,SubmissionType = parse_json(RawEventData).SubmissionType,SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
  | where Record == 29 and SubmissionType == "3"
  | summarize count() by tostring(SubmissionState)
  | render piechart
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Admin Submissions by Submission State - FP.yaml)

False Positive Guidance

• Scenario: Scheduled system maintenance tasks using Ansible or Chef that generate admin submissions as part of routine configuration updates.
  Filter/Exclusion: Exclude submissions with task_type = 'scheduled_maintenance' or tool = 'ansible' and job_name LIKE '%maintenance%'.

• Scenario: Jenkins or GitLab CI/CD pipelines that submit admin tasks for automated deployment or configuration changes.
  Filter/Exclusion: Exclude submissions with source = 'jenkins' or source = 'gitlab_ci' and job_name LIKE '%deploy%' or job_name LIKE '%config%'.

• Scenario: Puppet or SaltStack orchestration jobs that submit admin actions during system state synchronization.
  Filter/Exclusion: Exclude submissions with tool = 'puppet' or tool = 'saltstack' and action = 'state_synchronize'.

• Scenario: Splunk or ELK Stack admin tasks that submit data ingestion or indexing configurations.
  Filter/Exclusion: Exclude submissions with tool = 'splunk' or tool = 'elk' and action = 'data_ingestion' or action = 'index_config'.

• Scenario: Kubernetes cluster management tasks using kubectl or Helm that submit admin actions for deployment or scaling.
  Filter/Exclusion: Exclude submissions with tool = 'kubectl' or tool = 'helm' and action = 'deploy' or action = 'scale'.