Top policies performing user overrides

Hunt Hypothesis

Adversaries may override security policies to bypass controls and maintain persistent access. SOC teams should proactively hunt for user overrides in Azure Sentinel to identify potential policy circumvention and detect stealthy lateral movement or privilege escalation attempts.

KQL Query

EmailEvents  
| where UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
| extend UserPolicy = split(UserLevelPolicy, "(", 0)
| summarize count() by tostring(UserPolicy)
| render piechart

Analytic Rule Definition

id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
name: Top policies performing user overrides
description: |
  This query helps in reviewing top policies for user overrides (Allow/Block)
description-detailed: |
  This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365
  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents  
  | where UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
  | extend UserPolicy = split(UserLevelPolicy, "(", 0)
  | summarize count() by tostring(UserPolicy)
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Overrides/Top policies performing user overrides.yaml)

False Positive Guidance

Scenario: A system administrator is manually overriding a policy to allow access to a critical service during a scheduled maintenance window.
Filter/Exclusion: Exclude events where the user is a known admin or has a role such as admin, security_admin, or super_admin.
Scenario: A user is overriding a policy to allow access to a specific application during a temporary testing phase.
Filter/Exclusion: Exclude events where the user is associated with a test environment or has a role such as test_user, qa_user, or dev_user.
Scenario: A scheduled job or automation script is configured to override a policy to ensure compliance with a third-party service integration.
Filter/Exclusion: Exclude events where the source is a known automation tool such as Ansible, Chef, or Puppet, or where the action is initiated by a scheduled task.
Scenario: A user is overriding a policy to allow access to a shared folder for collaboration purposes.
Filter/Exclusion: Exclude events where the user is part of a shared group or has a role such as collaborator, team_member, or shared_user.
Scenario: A policy override is triggered by a false positive detection from a security tool like CrowdStrike or Microsoft Defender, leading to a manual review.
Filter/Exclusion: Exclude events where the source is a security tool such as CrowdStrike, Microsoft Defender, or SentinelOne, or where the override is initiated by a false positive review task.