Query Details
Monitoring M Teams Activities Such As Shared UR Ls One To One Chats And Domains Participating Into Meetings
Query
**Monitoring M.Teams activities such as shared URLs, OneToOne chats and Domains participating into meetings** New day, new KQL query, this time oriented to identify Microsoft Teams activities such as: - URL's shared into Teams Chat or Channels (Case 1) - Domains participating into Teams meetings or channels (Case 2) - One to One Chats which can be related to scam (bad actors contact you by Teams externally to request info or saying that they are part of support team, reported case in a recent event 🎤 ) (Case 3) - Identify non-compliance or non-allowed Teams Channels/Groups names ``` CloudAppEvents | where Application has "Microsoft Teams" | extend Geo_IP = tostring(geo_info_from_ip_address(IPAddress).country) | extend ChatName = todynamic(RawEventData).ChatName | extend TeamName = todynamic(RawEventData).TeamName | extend ChannelName = todynamic(RawEventData).ChannelName | extend Operation = todynamic(RawEventData).Operation | extend CommunicationType = todynamic(RawEventData).CommunicationType | extend MessageURLs = tostring(todynamic(RawEventData).MessageURLs) | mv-expand ParticipantsInfo =(RawEventData).ParticipantInfo | extend HasGuestUsers = (ParticipantsInfo).HasGuestUsers | extend HasForeignTenantUsers = (ParticipantsInfo).HasForeignTenantUsers | extend ParticipatingDomains = (ParticipantsInfo).ParticipatingDomains // Case 1 Review URL's sent by Teams | where isnotempty (MessageURLs) and Operation has "MessageCreatedHasLink" // Case 2 Review Domains participating into meetings | where ParticipatingDomains contains "." // Case 3 Review One to One communications| where CommunicationType has "OneOnOne" and Operation has "MessageSent" | project ActionType, AccountDisplayName, IPAddress,Geo_IP, CountryCode,ChatName,Operation,TeamName,ChannelName, MessageURLs,HasForeignTenantUsers,HasGuestUsers,ParticipatingDomains, CommunicationType ```
Explanation
This KQL query is designed to monitor and identify specific activities within Microsoft Teams. Here's a simplified breakdown of what it does:
-
Data Source: It starts by filtering events from the
CloudAppEventstable that are related to Microsoft Teams. -
Data Enrichment: It extracts various pieces of information from the raw event data, such as:
- The geographical location (country) based on the IP address.
- Names of chats, teams, and channels involved in the events.
- The type of operation and communication (e.g., message creation, one-on-one chat).
- URLs shared in messages.
- Information about participants, including whether there are guest users or users from foreign tenants, and the domains involved.
-
Case 1 - Shared URLs: It identifies messages that contain URLs by checking if the
MessageURLsfield is not empty and if the operation involves creating a message with a link. -
Case 2 - Participating Domains: It looks for domains participating in meetings or channels by checking if the
ParticipatingDomainsfield contains a dot (indicating a domain name). -
Case 3 - One-to-One Chats: It focuses on one-on-one communications by filtering for operations where the communication type is "OneOnOne" and the operation is "MessageSent". This is particularly relevant for identifying potential scams or unauthorized contact attempts.
-
Output: Finally, it selects and displays relevant fields such as action type, account display name, IP address, geographical information, chat and team names, URLs, and participant details.
Overall, the query helps in monitoring and analyzing Microsoft Teams activities to detect shared URLs, participating domains, and potentially suspicious one-on-one chats.
Details
Sergio Albea
Released: December 10, 2024
Tables
Keywords
Operators