Query Details
Office Activity Guest Addedto Multiple Teams
Query
//Detect when a guest is added to multiple Teams in a short time frame.
//Data connector required for this query - Office 365
//Define a time period to check and the threshold of how many Teams to alert on.
let timeframe=15m;
let threshold=2;
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation == "MemberAdded"
| mv-expand Members
| extend UserAdded = tostring(Members.UPN)
| where UserAdded contains "#EXT#"
| where CommunicationType == "Team"
| summarize
['Number of Teams Guest Added To']=dcount(TeamName), ['Team Names']=make_set(TeamName) by UserAdded, bin(TimeGenerated, timeframe)
| where ['Number of Teams Guest Added To'] >= thresholdExplanation
This query is used to detect when a guest is added to multiple Teams in a short time frame. It uses the Office 365 data connector and requires defining a time period to check and a threshold for the number of Teams to alert on. The query filters for OfficeActivity events where a member is added, expands the members, and filters for guests added to Teams. It then summarizes the number of Teams each guest has been added to and the names of those Teams within the defined time frame. Finally, it filters for guests who have been added to a number of Teams equal to or greater than the defined threshold.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
Devices,Intune,User,Office365,OfficeActivity,MemberAdded,Members,UPN,CommunicationType,TeamName,TimeGenerated,dcount,make_set
Operators
whereletOfficeActivityTimeGeneratedagowhereOperation=="MemberAdded"mv-expandMembersextendUserAddedtostringwhereUserAddedcontains"#EXT#"whereCommunicationType=="Team"summarize['Number of Teams Guest Added To']dcount(TeamName)['Team Names']make_set(TeamName)byUserAddedbin(TimeGeneratedtimeframe)where['Number of Teams Guest Added To']>=threshold