The hypothesis is that an adversary is leveraging multiple detection methods to evade traditional security controls, as indicated by the high number of detections across different MDOs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential multi-layered attacks and uncover hidden adversary activity that may not be captured by single-point detection rules.
KQL Query
let totalinbound = EmailEvents
| where EmailDirection == "Inbound"
| summarize Count = count()
| extend Details = "Total Inbound Emails";
let totalintraorg = EmailEvents
| where EmailDirection == "Intra-org"
| summarize Count = count()
| extend Details = "Total Intra-org Emails";
let totaloutbound = EmailEvents
| where EmailDirection == "Outbound"
| summarize Count = count()
| extend Details = "Total Outbound Emails";
let totalwiththreat = EmailEvents
| where isnotempty(ThreatTypes)
| summarize Count = count()
| extend Details = "Total Emails with Threats";
let phishingcount = EmailEvents
| where ThreatTypes has ('Phish')
| summarize Count= count()
| extend Details = "Emails Detected as Phish";
let malwarecount = EmailEvents
| where ThreatTypes has ('Malware')
| summarize Count= count()
| extend Details = "Emails Detected as Malware";
let spamcount = EmailEvents
| where ThreatTypes has ('Spam')
| summarize Count= count()
| extend Details = "Emails Detected as Spam";
let usersubmissioncount = CloudAppEvents
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29 | where ActionType == "UserSubmission"
| summarize Count= count()
| extend Details = "Total Emails Reported by Users";
let adminsubmissioncount = CloudAppEvents
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29 | where ActionType == "AdminSubmission"
| summarize Count= count()
| extend Details = "Total Emails Reported by Admins";
let zapcount = EmailPostDeliveryEvents
| where ActionResult == "Success"
| where ActionType == "Phish ZAP" or ActionType == "Malware ZAP"
| summarize Count= count()
| extend Details = "Total Emails Removed by ZAP";
union totalinbound, phishingcount, malwarecount, spamcount, totalintraorg, totaloutbound, totalwiththreat, usersubmissioncount, zapcount, adminsubmissioncount
| project Count, Details
| order by Count desc
id: e1903106-9b25-472e-b4b7-4bcc05328a48
name: Total number of detections by MDO
description: |
Provides a summary of total number of detections
description-detailed: |
Provides a summary of total number of detections by Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
- EmailPostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let totalinbound = EmailEvents
| where EmailDirection == "Inbound"
| summarize Count = count()
| extend Details = "Total Inbound Emails";
let totalintraorg = EmailEvents
| where EmailDirection == "Intra-org"
| summarize Count = count()
| extend Details = "Total Intra-org Emails";
let totaloutbound = EmailEvents
| where EmailDirection == "Outbound"
| summarize Count = count()
| extend Details = "Total Outbound Emails";
let totalwiththreat = EmailEvents
| where isnotempty(ThreatTypes)
| summarize Count = count()
| extend Details = "Total Emails with Threats";
let phishingcount = EmailEvents
| where ThreatTypes has ('Phish')
| summarize Count= count()
| extend Details = "Emails Detected as Phish";
let malwarecount = EmailEvents
| where ThreatTypes has ('Malware')
| summarize Count= count()
| extend Details = "Emails Detected as Malware";
let spamcount = EmailEvents
| where ThreatTypes has ('Spam')
| summarize Count= count()
| extend Details = "Emails Detected as Spam";
let usersubmissioncount = CloudAppEvents
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29 | where ActionType == "UserSubmission"
| summarize Count= count()
| extend Details = "Total Emails Reported by Users";
let adminsubmissioncount = CloudAppEvents
| extend Record= (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29 | where ActionType == "AdminSubmission"
| summarize Count= count()
| extend Details = "Total Emails Reported by Admins";
let zapcount = EmailPostDeliveryEvents
| where ActionResult == "Success"
| where ActionType == "Phish ZAP" or ActionType == "Malware ZAP"
| summarize Count= count()
| extend Details = "Total Emails Removed by ZAP";
union totalinbound, phishingcount, malwarecount, spamcount, totalintraorg, totaloutbound, totalwiththreat, usersubmissioncount, zapcount, adminsubmissioncount
| project Count, Details
| order by Count desc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: System integrity check using Microsoft Defender for Endpoint (MDE)
Description: Automated scans or integrity checks by MDE can generate a high number of detections due to benign file changes or signature updates.
Filter/Exclusion: Exclude events where the detection is related to Microsoft Defender for Endpoint and the source is a system integrity scan or scheduled update task.
Scenario: Windows Task Scheduler running a legitimate maintenance job
Description: Scheduled tasks such as disk cleanup, log rotation, or backup jobs may trigger detection rules if they modify files or system settings.
Filter/Exclusion: Exclude events where the source is a known system task (e.g., Task Scheduler or Windows Backup) and the process is a trusted maintenance script.
Scenario: Microsoft Intune policy deployment or device compliance checks
Description: Intune can trigger file changes or configuration updates on devices, which may be flagged as potential threats.
Filter/Exclusion: Exclude events where the source is Microsoft Intune and the action is related to policy deployment or compliance checks.
Scenario: Windows Update or Group Policy refresh
Description: Updates and policy refreshes can cause temporary file changes or registry modifications that may be flagged as suspicious.
Filter/Exclusion: Exclude events where the source is Windows Update or Group Policy Client and the event is related to a known update or policy refresh.
Scenario: Third-party endpoint security tools performing a full system scan
Description: Tools like Kaspersky, Bitdefender, or Norton may generate a high number of detections during a full system scan, which is a normal part of their operation.
Filter/Exclusion: Exclude events where the source is a known third-party security tool and the event is related to a scheduled