Query Details
RULE 15 M365 Teams Bulk Delete Channels Teams
Query
// Rule : M365 - Teams Channel Deleted or Team Removed (Destructive Action)
// Severity: Medium
// Tactics : Impact, DefenseEvasion
// MITRE : T1485 (Data Destruction), T1070 (Indicator Removal)
// Freq : PT1H Period: PT1H
// Description: Detects bulk deletion of Teams channels or entire Team workspaces,
// which may indicate destructive insider activity or a compromised account
// conducting cleanup after data exfiltration.
//==========================================================================================
let BulkDeleteThreshold = 3; // deletions per user per hour
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "MicrosoftTeams"
| where Operation in (
"TeamDeleted", "ChannelDeleted", "TeamArchived",
"MemberRemoved", "TabRemoved")
| summarize
DeleteCount = count(),
Operations = make_set(Operation, 10),
TeamsAffected = make_set(TeamName, 10),
ChannelList = make_set(ChannelName, 10),
ClientIPs = make_set(ClientIP, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserId, UserType
| where DeleteCount >= BulkDeleteThreshold
or Operations has "TeamDeleted"
or Operations has "TeamArchived"
| extend AlertSeverity = case(
Operations has "TeamDeleted", "High",
DeleteCount >= 10, "High",
"Medium")
| project
TimeGenerated = LastSeen,
UserId,
UserType,
DeleteCount,
Operations,
TeamsAffected,
ChannelList,
ClientIPs,
AlertSeverity
Explanation
This query is designed to detect potentially harmful actions in Microsoft Teams, such as the deletion of channels or entire Teams, which could indicate malicious insider activity or a compromised account. Here's a simplified breakdown of what the query does:
-
Threshold Setting: It sets a threshold for what is considered "bulk deletion" at 3 deletions per user per hour.
-
Time Frame: It looks at activities within the last hour.
-
Data Filtering: It filters the OfficeActivity logs to focus on Microsoft Teams-related actions, specifically those involving deletions or removals (e.g., TeamDeleted, ChannelDeleted, TeamArchived, MemberRemoved, TabRemoved).
-
Data Aggregation: For each user, it counts the number of deletions and collects details about the operations performed, the Teams and channels affected, the IP addresses used, and the time range of these activities.
-
Alert Conditions: It flags users who have performed a high number of deletions (3 or more) or specific destructive actions like deleting or archiving a Team.
-
Severity Assignment: It assigns a severity level to the alert:
- "High" if a Team was deleted or if there were 10 or more deletions.
- "Medium" for other cases that meet the threshold.
-
Output: It outputs a summary of the suspicious activity, including the time of the last action, user details, number of deletions, types of operations, affected Teams and channels, IP addresses, and the alert severity.
This query helps in identifying and responding to potential security incidents involving Microsoft Teams.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators