Collect Microsoft Teams activity in Azure Sentinel and start hunting

Azure Sentinel is a cloud-native security information and event management platform. (SIEM). Sentinel uses AI to analyze large volumes of data. Azure Sentinel is developed based on existing Azure services. Log Analytics and Logic apps are part of the foundation. 

What is Azure Sentinel?

Sentinel is built on Azure Log Analytics. It collects information from various security logs. Sentinel gives a couple of default connectors; for example; Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure Firewall, Azure Information Protection, Cloud App Security. Non-Microsoft-related data connectors are also present examples; Barracuda Web Application Firewall, Check Point, Cisco ASA, SyberArk, F5 networks, Fortinet, Okta SSO, Orca Security Alerts, Palo Alto Networks, Symantec and more. More information; https://docs.microsoft.com/en-US/azure/sentinel/connect-data-sources

If you wanted to have Microsoft Teams events audit data to Azure Sentinel it is possible to use the native Microsoft Teams Data included in the O365 data connector. Before Teams data was available by using a Logic App. Since 8/31/2020 Teams Data is included inside the O365 data connector.

In this blog post, I want to show how you can use the O365 data connector to use Teams data inside Azure Sentinel with a couple of KQL queries. Quick note; the data connector is still in public preview.

Connect Microsoft Teams logs to Azure Sentinel.

Prerequisites before connecting Teams.

1. You must have read and write permissions on your Azure Sentinel workspace.
2. You must be a global administrator or security administrator on your tenant.
3. Your Office 365 deployment must be on the same tenant as your Azure Sentinel workspace.

If you wanted to have Microsoft Teams events audit data to Azure Sentinel;

• Open Azure Sentinel
• Select Data connectors

• From the data connectors screen(1) select the Office 365 data connector(2) For the configuration select Open connector page (3).

• Select Microsoft Teams to be included inside the Office365 data set. The Office 365 dataset is including Exchange and Sharepoint data. Teams Preview is the activity specific for the teams usage.

Testing data

Verifying and test the data flow is possible following different methods. After applying the above setup it takes some time (20minutes) before the data is available in the Log Analytics workspace. The data flow can be verified from the connector page itself or with a KQL.

First, go to the data connector and verify the data types data.

KQL

Use the below KQL to discover Teams data from the Log Analytics workspace. Inside the KQL results, a couple of operations are available. See the next topic for the specific Teams events.

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| sort by TimeGenerated

In the above screenshots, the operation is based on the TeamSessionStarted. For example; the operation MemberAdded is available to detect newly added users, and of course deletion of a user is also available.

Azure Sentinel connects to the Office365 Management Activity API to get the recent Teams data. The specific Teams events are listed inside the Audit.General category. The following activities are available from the discovered data. For more API information; the Microsoft information page; https://docs.microsoft.com/en-us/office/office-365-management-api/

• Friendly name
• Added bot to team
• Added channel
• Added connector
• Added members
• Added tab
• Changed channel setting
• Changed organization setting
• Changed role of members in team
• Added bot to team
• Added channel
• Added connector
• Added members
• Added tab
• Changed channel setting
• Changed organization setting
• Changed role of members in team
• Changed team setting
• Created team
• Deleted all organization apps
• Deleted app
• Deleted channel
• Deleted team
• Installed app
• Performed action on card
• Published app
• Removed bot from team
• Removed connector
• Removed members
• Removed tab
• Uninstalled app
• Updated app
• Updated connector
• Updated tab
• Upgraded app
• User signed in to Teams

A good example is theTeamDeleted operation:
In the screenshot below is a scenario to investigate deleted teams.

1: Operation: TeamDeleted action
2: Team Name: TeamName
3: UserID: User who deleted specific Team

This makes it a possibility to quickly search through Teams Data for deleted teams activities

KQL – New Teams application added

OfficeActivity
| where TimeGenerated > ago(7d)
| where isnotempty(AddonName)

In this particular case, if the Teams audit logs are collected you find new applications added inside Teams. Listed with the TeamName, AddonName, and Operation. For example, you see the addon’s Email Connector, Praise, and YouTube.

Result;

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| sort by TimeGenerated
| where Operation has “BotAddedToTeam”
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

With this KQL it is possible to create alerts and notify the SOC/ Security Team when a new bot has been added to the Team.

KQL – Member Role Changed

OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation =~ “MemberRoleChanged”
| where Members contains “Role” and Members contains “1”

In this particular case, you can verify the member role changed inside a specific team.

KQL – Team created

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| sort by TimeGenerated
| where Operation has “TeamCreated”
| where UserId has “UPN value here”
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

Filtering alerts based on a specific person is possible. For this use the where UserId has “UPN value here” and specify the UPN.
In the screenshot the UserID teams created results are listed. This can be used for specific user-related events.

KQL – Multiple teams deteted

The below KQL can be used for the detection of a user who delete multiple teams. Let max-delete = 5 specify the max delete value.

Let max_delete = 5;
let time_window = 7d;
let deleting_users = (
OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| where TimeGenerated > ago(time_window)
| where Operation =~ “TeamDeleted”
| summarize count() by UserId
| where count_ > max_delete
| project UserId);
OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| where TimeGenerated > ago(time_window)
| where Operation =~ “TeamDeleted”
| where UserId in (deleting_users)
| project-away Members

Dashboard

It is possible to display the data in an Azure Sentinel dashboard. Some examples:

List recently deleted teams and show the UserID:

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| where Operation == “TeamDeleted”
| project TimeGenerated, TeamName, UserId
| sort by TimeGenerated desc

For all the operations runned by a specific userID.

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| summarize count() by UserId
| sort by count_ desc

Graphical view with the recent operations inside the Teams workload.

OfficeActivity
| where OfficeWorkload == “MicrosoftTeams”
| summarize count() by Operation, bin(TimeGenerated, 1d)

Visualization Settings:

• Visualization: Area Chart
• Size: Medium
• Legend: Sum of Values
• Chart Groups: Automatic
• Columm selection: Automatic

Azure Sentinel helps you to detect, alert, investigate and resolve security incidents quickly. It provides many ways to collect and analyze data.

Sources

Microsoft Secure your Calls: https://techcommunity.microsoft.com/t5/azure-sentinel/secure-your-calls-monitoring-microsoft-teams-callrecords/ba-p/1574600