Teams User submissions daily trend

Hunt Hypothesis

Adversaries may exploit Teams message submission mechanisms to bypass detection by generating false positives or negatives, leveraging T1566 to evade monitoring. SOC teams should proactively hunt for this behavior to identify potential obfuscation tactics used in advanced persistent threats within their Azure Sentinel environment.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery=CloudAppEvents
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where ActionType == "UserSubmission" and SubmissionContentType == "ChatMessage";
let User_TeamsSubmission_FN_FP=baseQuery
| make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "User_TeamsSubmission_FN_FP";
union User_TeamsSubmission_FN_FP
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: ace8e98a-660b-4fa9-a877-60644eb83344
name: Teams User submissions daily trend
description: |
  This query visualises the daily amount of user false negative and false postive Teams message submissions
description-detailed: |
 This query visualises the daily amount of user false negative and false postive Teams message submissions
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery=CloudAppEvents
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
  | where ActionType == "UserSubmission" and SubmissionContentType == "ChatMessage";
  let User_TeamsSubmission_FN_FP=baseQuery
  | make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "User_TeamsSubmission_FN_FP";
  union User_TeamsSubmission_FN_FP
  | project Count, Details, Timestamp
  | render timechart
version: l.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams User submissions daily trend.yaml)

False Positive Guidance

Scenario: Scheduled Compliance Audit Job
Description: A scheduled job runs daily to audit user activity and submit logs to Teams for compliance purposes.
Filter/Exclusion: team_message_submission.source = "compliance_audit_job"
Scenario: User-Initiated Report Generation
Description: A user generates a report using Microsoft Power BI or Excel that automatically sends the report to a Teams channel.
Filter/Exclusion: team_message_submission.user_action = "report_generation"
Scenario: System-Generated Alerts via Microsoft Sentinel
Description: Microsoft Sentinel sends automated alerts to a Teams channel as part of its incident response workflow.
Filter/Exclusion: team_message_submission.source = "microsoft_sentinel"
Scenario: Backup and Restore Operations
Description: A backup tool like Veeam or Azure Backup sends status updates to a Teams channel during backup/restore operations.
Filter/Exclusion: team_message_submission.source = "backup_tool"
Scenario: Admin Task Notifications
Description: An admin task, such as user provisioning or role assignment via Azure AD, triggers a Teams message notification.
Filter/Exclusion: team_message_submission.source = "azure_ad_admin_task"