Top accounts performing admin submissions (FN)

Hunt Hypothesis

Adversaries may be using privileged accounts to submit false negative alerts to evade detection and mask their malicious activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden threats.

KQL Query

CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend Record= (parse_json(RawEventData)).RecordType,SubmissionState = (parse_json(RawEventData)).SubmissionState, UserId = (parse_json(RawEventData)).UserId,SubmissionType = parse_json(RawEventData).SubmissionType
| where Record == 29 and SubmissionType in ("0","1","2")
| summarize count() by tostring(UserId) | sort by count_
| top 15 by count_
| render columnchart

Analytic Rule Definition

id: 220448c8-f9cd-4a91-bde0-1f30d8c81936
name: Top accounts performing admin submissions (FN)
description: |
  This query visualises the top admins performing false negative submissions
description-detailed: |
  This query visualises the top admins performing false negative submissions in Defender for Office 365
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == "AdminSubmissionSubmitted"
  | extend Record= (parse_json(RawEventData)).RecordType,SubmissionState = (parse_json(RawEventData)).SubmissionState, UserId = (parse_json(RawEventData)).UserId,SubmissionType = parse_json(RawEventData).SubmissionType
  | where Record == 29 and SubmissionType in ("0","1","2")
  | summarize count() by tostring(UserId) | sort by count_
  | top 15 by count_
  | render columnchart
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Top accounts performing admin submissions - FN.yaml)

False Positive Guidance

• Scenario: Scheduled system maintenance tasks using PowerShell or Task Scheduler that generate admin submissions
  Filter/Exclusion: Exclude events related to known maintenance tasks (e.g., EventID=10000 or EventID=41 with TaskName matching maintenance scripts)

• Scenario: Logon events from legitimate admin accounts performing routine system checks or audits
  Filter/Exclusion: Exclude logon events where EventID=4624 and LogonType=10 (interactive logon) with known admin accounts

• Scenario: Automated backup jobs using Veeam or Commvault that submit admin-level operations
  Filter/Exclusion: Exclude events with ProcessName matching backup tools or EventID=1000 with TaskName containing “backup”

• Scenario: User rights assignment changes via Group Policy Management Console (GPMC) or Local Security Policy
  Filter/Exclusion: Exclude events with EventID=4732 where the user is a domain admin or the change is part of a documented policy update

• Scenario: Patch management tasks using Microsoft Endpoint Manager (MEM) or WSUS that require admin privileges
  Filter/Exclusion: Exclude events with EventID=1000 or EventID=41 where the task is associated with a known patching tool or scheduled job name