Query Details
Teams External Suspicious Accounts Revoked Access
Query
//Hunt for external accounts that are added to Teams and swiftly removed to help identify suspicious behavior // If you want to look at user added further than 7 days ago adjust this value let time_ago = 7d; // If you want to change the timeframe of how quickly accounts need to be added and removed change this value let time_delta = 1h; OfficeActivity | where TimeGenerated > ago(time_ago) | where Operation =~ "MemberAdded" | extend UPN = tostring(parse_json(Members)[0].UPN) | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName, TeamGuid = tostring(Details.TeamGuid) | join ( OfficeActivity | where TimeGenerated > ago(time_ago) | where Operation =~ "MemberRemoved" | extend UPN = tostring(parse_json(Members)[0].UPN) | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName, TeamGuid = tostring(Details.TeamGuid)) on UPN, TeamGuid | where TimeDeleted < (TimeAdded + time_delta) | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid // Uncomment the following line to map query entities is you plan to use this as a detection query //| extend timestamp = TimeAdded, AccountCustomEntity = UPN
Explanation
This query is looking for external accounts that are added to Teams and quickly removed, which could indicate suspicious behavior. It allows you to adjust the timeframe for how far back to look and how quickly accounts need to be added and removed. The query retrieves information such as the time the account was added and deleted, the user who added and deleted the account, the team name, and the team ID. It also includes a line that can be uncommented to map query entities if you plan to use it as a detection query.
Details
Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
Devices,Intune,User,Teams
Operators
lettime_ago7dtime_delta1hOfficeActivitywhereTimeGeneratedagoOperation=~"MemberAdded"extendUPNtostringparse_jsonMembers[0].UPNprojectTimeAddedTimeGeneratedOperationUPNUserWhoAddedUserIdTeamNameTeamGuidjoinonTimeDeletedTimeGeneratedOperationUPNUserWhoDeletedTeamNameTeamGuid<+time_deltaTimeAddedTimeDeletedUPNUserWhoAddedUserWhoDeletedTeamNameTeamGuidextendtimestampAccountCustomEntityUPN.