GSA Enriched Office 365 - Multiple Teams deleted by a single user
| Id | db60e4b6-a845-4f28-a18c-94ebbaad6c6c |
| Rulename | GSA Enriched Office 365 - Multiple Teams deleted by a single user |
| Description | This detection flags the occurrences of deleting multiple teams within a day. This data is a part of Office 365 Connector in Microsoft Sentinel. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1485 T1489 |
| Required data connectors | AzureActiveDirectory Office365 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml |
| Version | 2.0.6 |
| Arm template | db60e4b6-a845-4f28-a18c-94ebbaad6c6c.json |
// Set the maximum number of deleted teams to flag suspicious activity
let max_delete_count = 3;
// EnrichedMicrosoft365AuditLogs Query
let EnrichedEvents = EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation =~ "TeamDeleted"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(tostring(AdditionalProperties.TeamName), 1000) by UserId
| where array_length(DeletedTeams) > max_delete_count
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]);
// OfficeActivity Query
let OfficeEvents = OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "TeamDeleted"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId
| where array_length(DeletedTeams) > max_delete_count
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]);
// Combine and Deduplicate Office and Enriched Logs
let CombinedEvents = OfficeEvents
| union EnrichedEvents
| summarize arg_min(StartTime, *) by UserId;
// Final Output
CombinedEvents
| project StartTime, EndTime, DeletedTeams, UserId, AccountName, AccountUPNSuffix
relevantTechniques:
- T1485
- T1489
name: GSA Enriched Office 365 - Multiple Teams deleted by a single user
requiredDataConnectors:
- dataTypes:
- EnrichedMicrosoft365AuditLogs
connectorId: AzureActiveDirectory
- dataTypes:
- OfficeActivity (Teams)
connectorId: Office365
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
triggerThreshold: 0
id: db60e4b6-a845-4f28-a18c-94ebbaad6c6c
tactics:
- Impact
version: 2.0.6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: Low
status: Available
description: |
This detection flags the occurrences of deleting multiple teams within a day.
This data is a part of Office 365 Connector in Microsoft Sentinel.
query: |
// Set the maximum number of deleted teams to flag suspicious activity
let max_delete_count = 3;
// EnrichedMicrosoft365AuditLogs Query
let EnrichedEvents = EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation =~ "TeamDeleted"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(tostring(AdditionalProperties.TeamName), 1000) by UserId
| where array_length(DeletedTeams) > max_delete_count
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]);
// OfficeActivity Query
let OfficeEvents = OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "TeamDeleted"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId
| where array_length(DeletedTeams) > max_delete_count
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]);
// Combine and Deduplicate Office and Enriched Logs
let CombinedEvents = OfficeEvents
| union EnrichedEvents
| summarize arg_min(StartTime, *) by UserId;
// Final Output
CombinedEvents
| project StartTime, EndTime, DeletedTeams, UserId, AccountName, AccountUPNSuffix
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]",
"properties": {
"alertRuleTemplateName": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c",
"customDetails": null,
"description": "This detection flags the occurrences of deleting multiple teams within a day.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\n",
"displayName": "GSA Enriched Office 365 - Multiple Teams deleted by a single user",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserId",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml",
"query": "// Set the maximum number of deleted teams to flag suspicious activity\nlet max_delete_count = 3;\n// EnrichedMicrosoft365AuditLogs Query\nlet EnrichedEvents = EnrichedMicrosoft365AuditLogs\n | where Workload =~ \"MicrosoftTeams\"\n | where Operation =~ \"TeamDeleted\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(tostring(AdditionalProperties.TeamName), 1000) by UserId\n | where array_length(DeletedTeams) > max_delete_count\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n | where OfficeWorkload =~ \"MicrosoftTeams\"\n | where Operation =~ \"TeamDeleted\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId\n | where array_length(DeletedTeams) > max_delete_count\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// Combine and Deduplicate Office and Enriched Logs\nlet CombinedEvents = OfficeEvents\n | union EnrichedEvents\n | summarize arg_min(StartTime, *) by UserId;\n// Final Output\nCombinedEvents\n | project StartTime, EndTime, DeletedTeams, UserId, AccountName, AccountUPNSuffix\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485",
"T1489"
],
"templateVersion": "2.0.6",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}