let TeamsAddDel = (Op:string){
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation == Op
| where Members has ("#EXT#")
| mv-expand Members
| extend UPN = tostring(Members.UPN)
| where UPN has ("#EXT#")
| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP
};
let TeamsAdd = TeamsAddDel("MemberAdded")
| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;
let TeamsDel = TeamsAddDel("MemberRemoved")
| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;
TeamsAdd
| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved
| where TimeDeleted > TimeAdded
| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP
| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, "@")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, "@")[1])
| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
id: bff093b2-500e-4ae5-bb49-a5b1423cbd5b
severity: Low
queryFrequency: 1h
triggerThreshold: 0
description: |
'This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.'
version: 2.1.3
query: |
let TeamsAddDel = (Op:string){
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation == Op
| where Members has ("#EXT#")
| mv-expand Members
| extend UPN = tostring(Members.UPN)
| where UPN has ("#EXT#")
| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP
};
let TeamsAdd = TeamsAddDel("MemberAdded")
| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;
let TeamsDel = TeamsAddDel("MemberRemoved")
| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;
TeamsAdd
| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved
| where TimeDeleted > TimeAdded
| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP
| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, "@")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, "@")[1])
| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
name: External user added and removed in short timeframe
queryPeriod: 1h
triggerOperator: gt
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Teams)
status: Available
tactics:
- Persistence
relevantTechniques:
- T1136
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml
entityMappings:
- entityType: Account
fieldMappings:
- columnName: MemberAdded_Removed
identifier: FullName
- columnName: MemberAdded_RemovedAccountName
identifier: Name
- columnName: MemberAdded_RemovedAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: UserWhoAdded
identifier: FullName
- columnName: UserWhoAddedAccountName
identifier: Name
- columnName: UserWhoAddedAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: UserWhoDeleted
identifier: FullName
- columnName: UserWhoDeletedAccountName
identifier: Name
- columnName: UserWhoDeletedAccountUPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: ClientIP
identifier: Address
