Teams External Rare User Access
Query
//External users added to teams who come from organizations that haven't been seen or added before
// If you have more than 14 days worth of Teams data change this value
let data_date = 14d;
// If you want to look at users further back than the last day change this value
let lookback_data = 1d;
let known_orgs = (
OfficeActivity
| where TimeGenerated > ago(data_date)
| where Operation =~ "MemberAdded" or Operation =~ "TeamsSessionStarted"
// Extract the correct UPN and parse our external organization domain
| extend UPN = iif(Operation == "MemberAdded", tostring(parse_json(Members)[0].UPN), UserId)
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0])
| where isnotempty(Organization)
| summarize by Organization);
OfficeActivity
| where TimeGenerated > ago(lookback_data)
| where Operation =~ "MemberAdded"
| extend UPN = tostring(parse_json(Members)[0].UPN)
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0])
| where isnotempty(Organization)
| where Organization !in (known_orgs)
// Uncomment the following line to map query entities is you plan to use this as a detection query
//| extend timestamp = TimeGenerated, AccountCustomEntity = UPNExplanation
This query is looking for external users who have been added to teams from organizations that have not been seen or added before. It uses a specified time frame for the data and checks for operations related to adding members or starting Teams sessions. It extracts the user principal name (UPN) and parses the external organization domain. It then compares the organizations with a list of known organizations and filters out any that are already known.
Details

Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
TeamsOrganizationsExternal users
Operators
wherelet=14d1d|>ago=~oriiftostringparse_jsonextendsplitisnotemptysummarizein!in//