KQL Search

Query Details

HomeAI ToolsDevice Query

Office Activity Detect Usermade Owneronmultiple Teams

Query

//Detect when a user is made an owner on multiple Teams in a short time frame.

//Data connector required for this query - Office 365

//Define a time period to check and the threshold of how many Teams to alert on.
//This example would find users added as an owner to 3 or more Teams within 30 minutes.
let timeframe=30m;
let threshold=3;
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation == "MemberRoleChanged"
| mv-expand Members
| extend RoleAdded = tostring(Members.Role)
| extend UserAdded = tostring(Members.UPN)
| where RoleAdded == 2
| project TimeGenerated, RoleAdded, UserAdded, TeamName
| summarize
    ['Number of Teams Made Owner']=dcount(TeamName), ['Team Names']=make_set(TeamName) by UserAdded, bin(TimeGenerated, timeframe)
| where ['Number of Teams Made Owner'] >= threshold

Explanation

This query is used to detect when a user is made an owner on multiple Teams within a short time frame. It looks at Office 365 data and defines a time period and threshold for the number of Teams to alert on. In this example, it finds users who have been added as an owner to 3 or more Teams within 30 minutes. The query filters the OfficeActivity data for MemberRoleChanged operations, expands the Members field, and checks for a RoleAdded value of 2 (indicating an owner role). It then projects the relevant fields and summarizes the data by UserAdded and the time period. Finally, it filters the results to only include users who have been made an owner of the specified number of Teams or more.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivity

Keywords

User,Teams,TimeGenerated,Operation,Members,RoleAdded,UserAdded,TeamName,NumberofTeamsMadeOwner,TeamNames

Operators

| where| mv-expand| extend| project| summarize| dcount| make_set| by| bin

Actions