Adversaries may use compromised accounts to submit malicious payloads through user submission vectors, leveraging T1566 to exfiltrate data or execute code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
KQL Query
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserId = (parse_json(RawEventData)).UserId
| where Record == 29
| where ActionType == "UserSubmission"
| summarize count() by tostring(UserId) | sort by count_ //| top 50 by count_
| render columnchart
id: dda13716-d906-45c5-877d-4df46ceb39e6
name: Top accounts performing user submissions
description: |
This query graphs top accounts performing user submissions
description-detailed: |
This query graphs top accounts performing user submissions in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserId = (parse_json(RawEventData)).UserId
| where Record == 29
| where ActionType == "UserSubmission"
| summarize count() by tostring(UserId) | sort by count_ //| top 50 by count_
| render columnchart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Microsoft Intune to deploy a new application to user devices, which results in a high number of user submissions.
Filter/Exclusion: Exclude submissions from accounts with the Intune Admin role or those associated with Microsoft Endpoint Manager.
Scenario: A scheduled job in PowerShell is running nightly to update user profiles, causing a spike in user submission activity.
Filter/Exclusion: Exclude submissions originating from PowerShell or Task Scheduler with known job names (e.g., Update-UserProfiles).
Scenario: A security analyst is manually reviewing user activity in Microsoft 365 using the Microsoft 365 Admin Center, which triggers user submission events.
Filter/Exclusion: Exclude submissions from accounts with Global Admin or User Administrator roles, or from the Microsoft 365 Admin Center interface.
Scenario: A backup process using Veeam Backup & Replication is performing user data synchronization, leading to increased user submission activity.
Filter/Exclusion: Exclude submissions from Veeam or any process with the Veeam executable name or related service tags.
Scenario: A user migration task using Azure AD Connect is in progress, causing a temporary increase in user submission events.
Filter/Exclusion: Exclude submissions from Azure AD Connect or any account with the Azure AD Sync Admin role.