Query Details
Teams External Rare User Access
Query
//External users added to teams who come from organizations that haven't been seen or added before // If you have more than 14 days worth of Teams data change this value let data_date = 14d; // If you want to look at users further back than the last day change this value let lookback_data = 1d; let known_orgs = ( OfficeActivity | where TimeGenerated > ago(data_date) | where Operation =~ "MemberAdded" or Operation =~ "TeamsSessionStarted" // Extract the correct UPN and parse our external organization domain | extend UPN = iif(Operation == "MemberAdded", tostring(parse_json(Members)[0].UPN), UserId) | extend Organization = tostring(split(split(UPN, "_")[1], "#")[0]) | where isnotempty(Organization) | summarize by Organization); OfficeActivity | where TimeGenerated > ago(lookback_data) | where Operation =~ "MemberAdded" | extend UPN = tostring(parse_json(Members)[0].UPN) | extend Organization = tostring(split(split(UPN, "_")[1], "#")[0]) | where isnotempty(Organization) | where Organization !in (known_orgs) // Uncomment the following line to map query entities is you plan to use this as a detection query //| extend timestamp = TimeGenerated, AccountCustomEntity = UPN
Explanation
This query is looking for external users who have been added to teams from organizations that have not been seen or added before. It uses a specified time frame for the data and checks for operations related to adding members or starting Teams sessions. It extracts the user principal name (UPN) and parses the external organization domain. It then compares the organizations with a list of known organizations and filters out any that are already known.
Details
Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
Teams,Organizations,Externalusers
Operators
wherelet=14d1d|>ago=~oriiftostringparse_jsonextendsplitisnotemptysummarizein!in//