![]() ![]() Join resolved names to unresolved list from portal signins | summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName | where not(Identity matches regex isGUID) Lookup up resolved identities from last 7 days | extend Unresolved = iff(Identity matches regex isGUID, true, false) Tagging identities not resolved to friendly names | where AppDisplayName has "Azure Portal" and ResultType !in ("0", "50125", "50140") Azure Portal only and exclude non-failure Result Types For example, combine the detection of suspicious patterns in Azure AD SigninLogs, and use that output while hunting for Team Owners. Expanding your threat hunting opportunitiesĬombining queries from resources like Azure Active Directory (Azure AD), or other Office 365 workloads can be used with Teams queries. This KQL looks for single users who delete multiple teams.įor more information, see the query in the Azure Sentinel community git hub. ![]() Since teams are usually deleted by individual Owners, central deletion of many teams can be a sign of trouble. Many Team deletions by a single userĪttackers can cause disruptions and jeopardize projects and data by deleting multiple teams. This KQL query looks for suspicious behavior.įor more information, see the query in the Azure Sentinel community git hub. Usually, users create and own a few teams around specific topics. User accounts who are Owners of large numbers of TeamsĪttackers looking to elevate their privileges may assign themselves Owner privileges of a large number of diverse teams. This query hunts for apps or bots that are new to Teams.įor more information, see the query in the Azure Sentinel community git hub. In some cases, an app or bot can be used for persistence in Teams without needing a user account, and can access files and other data. Teams can include apps or bots in a Team to extend the feature set (including custom apps and bots). This query hunts for external accounts that are added to Teams and swiftly removed to help identify suspicious behavior.įor more information, see the query in the Azure Sentinel community git hub. ![]() They may also quickly remove that user to hide that they made access. External users who were added and then removedĪttackers with some level of existing access may add a new external account to Teams to access and exfiltrate data. This KQL looks at external users added to teams who come from organizations that haven't been seen or added before.įor more information, see the query in the Azure Sentinel community git hub. Organizations often have a limited number of key partnerships and add users from among these partners. In Teams, you can add external users to your environment or channels. Query whether a user's role changed for a Team in the last seven days: OfficeActivityĮxternal users from unknown or new organizations Query a specific user to check if they were added to a Teams channel in the last seven days, or within a week: OfficeActivity To learn more about External and Guest access types in Teams see Communicate with users from other organizations, or the Participant Types section in the Teams Security Guide. | project TeamName, Operation, UserId, Members In this example query, the organization owns. These users have a domain name and/or a UPN suffix that isn't owned by your organization. Get the list of Teams sites that have federated external users. From there, you can branch out into threat hunting. Knowing how the environment should look and behave is a good first step in recognizing suspicious activity. Use these queries to familiarize yourself with your Teams data and Teams environment. ![]() For more information, see the Azure Sentinel documentation. In Azure Sentinel, enable the Office 365 data connector. Step 2: Connect Office 365 logs to Azure SentinelĪzure Sentinel provides a built-in connector for Office 365 logs, which enables you to ingest Teams data into Azure Sentinel together with other Office 365 data. Teams data is collected in the Microsoft 365 audit under Audit.General. Step 1: Collect Teams logs: Enable Audit logs in Microsoft 365īecause Teams logs activity through Microsoft 365, audit logs aren't collected by default. Administrators will be able to hunt using cross-resource queries, that is within a single resource group, across resource groups, or in another subscription. This will allow for realtime monitoring and hunting for threats in historical log files. More than one Microsoft 365 subscription can be surfaced in the same instance of Azure Sentinel. ![]()
0 Comments
Leave a Reply. |