KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting One On One Chats By Domains

Query

**Hunting OneOnOne chats by Domains**

The following KQL query helps detect domains interacting with OneOnOne Teams Chats in your tenant, and allows to whitelist trusted or known domains while flagging suspicious ones.

```
CloudAppEvents
| where Application has "Microsoft Teams" and isnotempty(IPAddress)  
| extend Geo_IP = tostring(geo_info_from_ip_address(IPAddress).country)
| extend ChatName = todynamic(RawEventData).ChatName
| extend TeamName = todynamic(RawEventData).TeamName
| extend ChannelName = todynamic(RawEventData).ChannelName
| extend Operation = todynamic(RawEventData).Operation
| extend CommunicationType = todynamic(RawEventData).CommunicationType
| where  Operation has "ChatCreated" and CommunicationType has "OneOnOne"
| mv-expand  ParticipantsInfo = (todynamic(parse_json(RawEventData).ParticipantInfo))
|  mv-expand  ParticipatingDomains =  (ParticipantsInfo).ParticipatingDomains
|  mv-expand  ParticipatingSIPDomains =  (ParticipantsInfo).ParticipatingSIPDomains
|  mv-expand  ParticipatingSIPDomains =  (ParticipatingSIPDomains).DomainName
| where  Operation has "ChatCreated" and CommunicationType has "OneOnOne"
| where (ParticipatingDomains!="" or  ParticipatingSIPDomains!="") and (ParticipatingDomains !in ("microsoft.com") or ParticipatingSIPDomains !in ("microsoft.com"))
| project  AccountDisplayName,ChatCreatedFrom= IPAddress,ChannelName,ChatName, TeamName,Geo_IP, CountryCode,Operation,ParticipatingSIPDomains,ParticipatingDomains, ISP
```

Explanation

This KQL (Kusto Query Language) query is designed to monitor and analyze interactions with One-on-One chats in Microsoft Teams within a specific tenant. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at events from the CloudAppEvents table, specifically those related to Microsoft Teams that have an associated IP address.

  2. Extracting Information: The query extracts various pieces of information from the raw event data, such as:

    • The country associated with the IP address (Geo_IP).
    • The names of the chat, team, and channel involved.
    • The type of operation and communication (focusing on chat creation and one-on-one communication).

  3. Filtering:

    • It filters for events where a chat was created and the communication type is one-on-one.
    • It expands the list of participants to examine the domains involved in the chat.
    • It specifically looks for domains that are not empty and are not part of the "microsoft.com" domain, which is considered trusted.

  4. Output: The query projects (selects) specific fields to display, including:

    • The display name of the account involved.
    • The IP address from which the chat was created.
    • The names of the chat, channel, and team.
    • The geographic location of the IP address.
    • The operation type.
    • The domains of the participants.

In summary, this query is used to identify and flag potentially suspicious domains interacting with one-on-one Teams chats, while allowing known and trusted domains (like "microsoft.com") to be whitelisted. This helps in monitoring and securing communication within the organization.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 5, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsMicrosoftTeamsIPAddressGeoIPRawEventDataChatNameTeamNameChannelNameOperationCommunicationTypeParticipantsInfoParticipatingDomainsParticipatingSIPDomainsAccountDisplayNameChatCreatedFromCountryCodeISP

Operators

hasisnotemptytostringtodynamicparse_jsonmv-expand!=""!inproject

Actions