Millions of people are using Microsoft Teams as their secure, productive and mobile collaboration & communication tool, today @Pete Bryan from Microsoft Threat Intelligence Center and @Hesham Saad from Microsoft CyberSecurity Global Black Belt will detail Microsoft Teams schema and data structure in Azure Sentinel so let's get started!
Microsoft Teams now has an official connector at Azure Sentinel:
Here's a quick demonstration:
You can check as well a couple of hunting queries been shared on the Azure Sentinel GitHub
Lets understand now Microsoft Teams Schemas:
What's in Teams Logs:
+ Bots, Apps, Tabs
https://docs.microsoft.com/en-us/microsoftteams/audit-log-events
https://docs.microsoft.com/en-us/graph/api/resources/communications-api-overview?view=graph-rest-1.0
Log Structure:
TenantId |
1XX-XX0-473e-8XX-dXXXXXX |
TimeGenerated |
2020-09-23T18:18:36Z |
Operation |
MemberAdded |
OrganizationId |
axxxxxa-7xx2-xxxa-xx7X-xxxxxxxxcf |
UserType |
Regular |
UserKey |
axxxb-0xx-4XXX-XXX-XXX |
OfficeWorkload |
MicrosoftTeams |
UserId |
|
OfficeId |
41XXX3-XX4-XX9-XX3f-79XXX45c |
Members |
[{"DisplayName":“XXX Bryan","Role":3,"UPN":“XXX_microsoft.com#ext#@contoso.com"}] |
TeamName |
Pete’s Team |
TeamGuid |
19:b511b225534a4ed4afe5bd4274c3626b@thread.tacv2 |
ItemName |
Pete’s Team |
CommunicationType |
Team |
AADGroupId |
1XXX3-4XXe-4XXa-9XX3-0XXXXX19 |
Log Structure (additional fields)
A step-by-step guide on how to ingest CallRecords-Sessions Teams data to Azure Sentinel via Microsoft Graph API, check out Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel blog post.
Other Logs:
SigninLogs
AAD Signin for Teams
| where AppDisplayName contains “Microsoft Teams”
OfficeActivity
Files uploaded via Teams
| where SourceRelativeUrl contains "Microsoft Teams Chat Files"
Hunting:
Detection:
SOAR:
Get started today!
We encourage you to try it now and start hunting in your environment.
You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.