Query Details
Teams Botsor Apps Added
Query
//Hunt for apps or bots that are new to Teams // If you have more than 14 days worth of Teams data change this value let data_date = 14d; let historical_bots = ( TeamsData | where TimeGenerated > ago(data_date) | where isnotempty(AddOnName) | project AddOnName); OfficeActivity | where TimeGenerated > ago(1d) // Look for add-ins we have never seen before | where AddOnName in (historical_bots) // Uncomment the following line to map query entities is you plan to use this as a detection query //| extend timestamp = TimeGenerated, AccountCustomEntity = UserId
Explanation
This query is searching for new apps or bots in Microsoft Teams. It looks at the TeamsData and OfficeActivity tables to find any add-ins (apps or bots) that have been used in the past 24 hours but are not present in the historical_bots list, which contains add-ins used in the past 14 days. The last line of the query is commented out but can be uncommented to include additional information in the results.
Details
Rod Trent
Released: September 1, 2020
Tables
TeamsDataOfficeActivity
Keywords
TeamsData,TimeGenerated,AddOnName,OfficeActivity,UserId
Operators
wherelet|whereisnotemptyprojectinextend