Adversaries may be using admin Teams accounts to submit false negative reports, leveraging trusted sender domains to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or compromised admin accounts.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("2","1")
| summarize count() by P2SenderDomain
| project P2SenderDomain, TeamsMessages = count_
| top 10 by TeamsMessages desc
id: 132dffdf-3ee0-4748-8509-fbd3a92e5c9f
name: Top 10 sender domains - Admin Teams message submissions FN
description: |
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
description-detailed: |
This query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("2","1")
| summarize count() by P2SenderDomain
| project P2SenderDomain, TeamsMessages = count_
| top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Admins are using Microsoft Teams to communicate during routine system maintenance or incident response.
Filter/Exclusion: Exclude messages sent from domains associated with internal Microsoft services (e.g., teams.microsoft.com, microsoft.com) or use a filter based on sender_domain in the detection logic to exclude known internal domains.
Scenario: Scheduled jobs or automated scripts are sending messages to admin teams via Microsoft Teams for alerting or status updates.
Filter/Exclusion: Exclude messages sent from known automation tools or service accounts (e.g., azuredevops.com, jenkins.io, aws.amazon.com) by checking the sender_domain or sender_email field.
Scenario: Admins are using Teams to collaborate on internal documentation or knowledge base updates.
Filter/Exclusion: Exclude messages from domains associated with internal collaboration tools (e.g., sharepoint.com, onedrive.com, microsoftteams.com) or use a custom list of internal domains for exclusion.
Scenario: Admins are using Teams to coordinate with third-party vendors or service providers for support or SLA tracking.
Filter/Exclusion: Exclude messages from known vendor domains (e.g., service-now.com, zendesk.com, salesforce.com) by adding those domains to an exclusion list in the detection rule.
Scenario: Admins are using Teams to share logs or diagnostic information with internal security or operations teams.
Filter/Exclusion: Exclude messages sent from internal security tools or log aggregation systems (e.g., splunk.com, sumologic.com, logz.io) by filtering based on sender_domain or message_content keywords.