KQL Search

Query Details

HomeAI ToolsDevice Query

Teams Messages

Query

# Defender for Office 365 - Teams Messages

## Query Information

### Description

- The ***MessageEvents*** table in the advanced hunting schema contains details about messages sent and received within your organization at the time of delivery.
- The ***MessageUrlInfo*** table in the advanced hunting schema contains information about URLs sent through Microsoft Teams messages in your organization.
- The ***MessagePostDeliveryEvents*** table in the advanced hunting schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization.

Use the below query to retrieve Teams Messages information

#### References

- [Introducing new Advanced Hunting Tables to hunt on Teams messages and URLs](https://admin.microsoft.com/Adminportal/Home?source=applauncher&ref=MessageCenter/:/messages/MC1048617)
- [MessageEvents](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-messageevents-table)
- [MessageUrlInfo](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-messageurlinfo-table)
- [MessagePostDeliveryEvents](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-messagepostdeliveryevents-table)

### Microsoft Defender XDR

Retrieve Teams Messages and links embedded in the teams chat

```kql
MessageEvents 
| join kind=leftouter MessageUrlInfo
on $left. TeamsMessageId == $right. TeamsMessageId
```

Explanation

This query is designed to gather information about Microsoft Teams messages within an organization using Microsoft Defender for Office 365. Here's a simple breakdown of what the query does:

  1. Data Sources:

    • The query uses two tables: MessageEvents and MessageUrlInfo.
    • MessageEvents contains details about messages sent and received at the time of delivery.
    • MessageUrlInfo contains information about URLs included in Microsoft Teams messages.

  2. Purpose:

    • The goal is to retrieve information about Teams messages and any URLs that were included in those messages.

  3. How It Works:

    • The query performs a "left outer join" operation between the MessageEvents table and the MessageUrlInfo table.
    • It matches records from both tables based on a common field called TeamsMessageId.
    • This means it will take all records from MessageEvents and add any matching URL information from MessageUrlInfo based on the TeamsMessageId.

  4. Outcome:

    • The result will be a combined dataset that includes details of Teams messages along with any URLs that were part of those messages, even if some messages don't have associated URLs.

In summary, this query is used to analyze Microsoft Teams messages and any URLs they contain, helping to monitor and investigate communication within an organization.

Details

Alex Verboon profile picture

Alex Verboon

Released: May 6, 2025

Tables

MessageEventsMessageUrlInfo

Keywords

TeamsMessagesURLsSecurityEvents

Operators

joinkind=leftouteron

Actions