Total Submissions by Submission State

Hunt Hypothesis

Adversaries may use automated tools to submit large volumes of payloads to cloud storage services, leveraging submission state tracking to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration or command-and-control activity associated with T1566.

KQL Query

CloudAppEvents
| extend Record = (parse_json(RawEventData)).RecordType
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| extend UserKey = (parse_json(RawEventData)).UserKey
| where Record == 29
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| summarize count() by tostring(SubmissionState)//, bin(Timestamp, 1d) | sort by count_
// | render piechart // Uncomment this line to render as a graph

Analytic Rule Definition

id: 47e8ea7f-a7eb-4fe3-a96b-efe01155d9d3
name: Total Submissions by Submission State
description: |
  Total Submissions by Submission State
description-detailed: |
  Total Submissions by Submission Statein Defender for Office 365
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | extend Record = (parse_json(RawEventData)).RecordType
  | extend SubmissionState = (parse_json(RawEventData)).SubmissionState
  | extend UserKey = (parse_json(RawEventData)).UserKey
  | where Record == 29
  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
  | summarize count() by tostring(SubmissionState)//, bin(Timestamp, 1d) | sort by count_
  // | render piechart // Uncomment this line to render as a graph
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Total Submissions by Submission State.yaml)

False Positive Guidance

• Scenario: Scheduled system backups using Veeam Backup & Replication
  Filter/Exclusion: Exclude submissions with submission_state = "success" and source = "Veeam Backup"

• Scenario: Automated log collection via Splunk Universal Forwarder
  Filter/Exclusion: Exclude submissions with submission_state = "success" and source = "Splunk UF"

• Scenario: Regular Active Directory replication jobs using AD Replication Monitor
  Filter/Exclusion: Exclude submissions with submission_state = "success" and source = "AD Replication"

• Scenario: PowerShell scheduled tasks for system maintenance
  Filter/Exclusion: Exclude submissions with submission_state = "success" and command_line LIKE '%powershell.exe -Command%'

• Scenario: Ansible playbook execution for configuration management
  Filter/Exclusion: Exclude submissions with submission_state = "success" and source = "Ansible" or command_line LIKE '%ansible-playbook%'