Adversaries may submit false positives to evade detection and mask their malicious activity by manipulating admin submission logs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics and uncover hidden threats.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend Record= (parse_json(RawEventData)).RecordType,SubmissionState = (parse_json(RawEventData)).SubmissionState, UserId = (parse_json(RawEventData)).UserId,SubmissionType = parse_json(RawEventData).SubmissionType
| where Record == 29 and SubmissionType =="3"
| summarize count() by tostring(UserId) | sort by count_
| top 15 by count_
| render columnchart
id: f458535d-f977-4392-90ce-663fcf4ac703
name: Top accounts performing admin submissions (FP)
description: |
This query visualises the top admins performing false positive submissions
description-detailed: |
This query visualises the top admins performing false positive submissions in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend Record= (parse_json(RawEventData)).RecordType,SubmissionState = (parse_json(RawEventData)).SubmissionState, UserId = (parse_json(RawEventData)).UserId,SubmissionType = parse_json(RawEventData).SubmissionType
| where Record == 29 and SubmissionType =="3"
| summarize count() by tostring(UserId) | sort by count_
| top 15 by count_
| render columnchart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Jobs
Description: Automated maintenance tasks (e.g., Windows Task Scheduler, Ansible, or Puppet jobs) may submit admin actions as part of routine system updates or configuration changes.
Filter/Exclusion: Exclude events where process.name is a known maintenance tool (e.g., schtasks.exe, ansible, puppet) or where event_id corresponds to scheduled job execution.
Scenario: User Account Creation or Modification via AD Tools
Description: Admins may use tools like ADUC (Active Directory Users and Computers) or PowerShell to create or modify user accounts, which can trigger admin submission alerts.
Filter/Exclusion: Exclude events where process.name is PowerShell.exe and the command line includes New-ADUser or Set-ADUser, or where the event is related to Active Directory operations.
Scenario: Logon/Logoff Events via Remote Desktop or SSH
Description: Admins logging in via RDP or SSH to perform administrative tasks may generate admin submission alerts due to the nature of the login activity.
Filter/Exclusion: Exclude events where process.name is mstsc.exe (RDP) or ssh.exe, and where the event is related to a known admin user logging in to a server.
Scenario: Patch Management Tools Performing Updates
Description: Tools like Microsoft Endpoint Configuration Manager (MECM), SCCM, or WSUS may submit admin actions as part of patch deployment or system updates.
Filter/Exclusion: Exclude events where process.name is ccmexec.exe, wsusutil.exe, or setup.exe, and where the event is associated with a known patch management tool.
Scenario: Backup and Restore Operations
Description: Backup