Understanding Microsoft Teams Data Schema in Azure Sentinel – Analyst / Researcher View

This post has been republished via RSS; it originally appeared at: Azure Sentinel articles.

Millions of people are using Microsoft Teams as their secure, productive and mobile collaboration & communication tool, today  from Microsoft Threat Intelligence Center and   from Microsoft CyberSecurity Global Black Belt will detail Microsoft Teams schema and data structure in Azure Sentinel so let's get started!

 

Microsoft Teams now has an official connector at Azure Sentinel:

 

   TeamsConnectorGoodNewsPic.jpg 

 

  • Easy deployment (in a single checkbox)
  • Data into Office Activity 
  • It's free activity logs
  • Only keep the custom connector for other workloads

Here's a quick demonstration:

 

teamssentineldemo.gif

 

You can check as well a couple of hunting queries been shared on the Azure Sentinel GitHub

 

Lets understand now Microsoft Teams Schemas:

 

  • Office 365 Management API

TeamsO365API.png

  • Microsoft Graph API:

teamsGraphAPI.PNG

 

What's in Teams Logs:

 

  • TeamsSessionStarted – Sign-in to Teams Client (except token refresh)
  • MemberAdded/MemberRemoved – User added/removed to team or group chat
  • MemberRoleChanged – User’s permissions changed 1 = Owner, 2 = Member, 3 = Guest
  • ChannelAdded/ChannelRemoved – A channel is added/removed to a team
  • TeamCreated/Deleted – A whole team is created or deleted
  • TeamsSettingChanged – A change is made to a team setting (e.g. make it public/private)
  • TeamsTenantSettingChanged – A change is made at a tenant level (e.g. enable product)

+ Bots, Apps, Tabs

https://docs.microsoft.com/en-us/microsoftteams/audit-log-events

 

  • callRecord: Represents a single peer-to-peer call or a group call between multiple participants, sometimes referred to as an online meeting.
  • onlineMeeting: Contains information about the meeting, including the URL used to join a meeting, the attendees list, and the description.
  • callRecord/organizer – the organizing party’s identity
  • callRecord/participants – list of distinct identities involved in the call
  • callRecord/type – type of the call (group call, peer to peer,…etc)
  • callRecord/modalities – list of all modalities (audio, video, data, screen sharing, …etc)
  • callRecord/ (id - startDateTime – endDateTime – joinWebUrl )
  • onlineMeeting/ (subject, chatInfo, participants, startDateTime, endDateTime)

https://docs.microsoft.com/en-us/graph/api/resources/communications-api-overview?view=graph-rest-1.0

 

Log Structure:

 

TenantId

1XX-XX0-473e-8XX-dXXXXXX

TimeGenerated

2020-09-23T18:18:36Z

Operation

MemberAdded

OrganizationId

axxxxxa-7xx2-xxxa-xx7X-xxxxxxxxcf

UserType

Regular

UserKey

axxxb-0xx-4XXX-XXX-XXX

OfficeWorkload

MicrosoftTeams

UserId

pete@contoso.com

OfficeId

41XXX3-XX4-XX9-XX3f-79XXX45c

Members

[{"DisplayName":“XXX Bryan","Role":3,"UPN":“XXX_microsoft.com#ext#@contoso.com"}]

TeamName

Pete’s Team

TeamGuid

19:b511b225534a4ed4afe5bd4274c3626b@thread.tacv2

ItemName

Pete’s Team

CommunicationType

Team

AADGroupId

1XXX3-4XXe-4XXa-9XX3-0XXXXX19

 

pic1.PNG

 pic2.pngpic3.pngpic4.pngpic5.pngpic6.pngpic7.pngpic8.pngpic9.pngpic10.pngpic11.png

 

Log Structure (additional fields)

 

pic12.PNG

 

A step-by-step guide on how to ingest CallRecords-Sessions Teams data to Azure Sentinel via Microsoft Graph API, check out Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel blog post.

 

Other Logs:

 

 

 

 

SigninLogs AAD Signin for Teams | where AppDisplayName contains “Microsoft Teams”OfficeActivity Files uploaded via Teams | where SourceRelativeUrl contains "Microsoft Teams Chat Files"

 

 

 

 

Hunting:

 

 

Detection:

 

  • Difficult due to usage variations between orgs
  • SigninLogs analytics will protect against a lot of common attack types
  • New external organization hunting query is a good candidate

SOAR:

 

  • Plenty of actions in Azure Sentinel Playbooks - LogicApps controls for Teams
  • Use this to get additional context for alerts
  • You can also post messages to teams

pic13.png

 

Get started today!

We encourage you to try it now and start hunting  in your environment. 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.