Query Details
DCA Teams App Installed
Query
//Find when an app is installed into Teams using the Defender for Cloud App logs //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query CloudAppEvents | where Application == "Microsoft Teams" | where ActionType == "AppInstalled" | extend AppDistributionMode = tostring(RawEventData.AppDistributionMode) | extend AzureADAppId = tostring(RawEventData.AzureADAppId) | extend UserId = tostring(RawEventData.UserId) | extend AppName = tostring(RawEventData.AddOnName) | project TimeGenerated, AppName, AzureADAppId, UserId, AppDistributionMode //Advanced Hunting query //Data connector required for this query - Advanced Hunting license CloudAppEvents | where Application == "Microsoft Teams" | where ActionType == "AppInstalled" | extend AppDistributionMode = tostring(RawEventData.AppDistributionMode) | extend AzureADAppId = tostring(RawEventData.AzureADAppId) | extend UserId = tostring(RawEventData.UserId) | extend AppName = tostring(RawEventData.AddOnName) | project Timestamp, AppName, AzureADAppId, UserId, AppDistributionMode
Explanation
This query is used to find instances when an app is installed into Microsoft Teams using the Defender for Cloud App logs. It retrieves information such as the time the event occurred, the app name, Azure AD app ID, user ID, and app distribution mode. The query can be executed in both Microsoft Sentinel and Advanced Hunting, but different data connectors are required for each.
Details
Matt Zorich
Released: June 17, 2022
Tables
CloudAppEvents
Keywords
CloudAppEvents,Application,ActionType,AppDistributionMode,AzureADAppId,UserId,AppName,TimeGenerated,Timestamp
Operators
where==|extendtostringproject