Query Details
Teams Single Users Delete Multiple Teams
Query
//Single users who delete multiple teams // Adjust this value to change how many Teams should be deleted before including let max_delete = 3; // Adjust this value to change the timewindow the query runs over let time_window = 1d; let deleting_users = ( OfficeActivity | where TimeGenerated > ago(time_window) | where Operation =~ "TeamDeleted" | summarize count() by UserId | where count_ > max_delete | project UserId); OfficeActivity | where TimeGenerated > ago(time_window) | where Operation =~ "TeamDeleted" | where UserId in (deleting_users) | extend TeamGuid = tostring(Details.TeamGuid) | project-away AddOnName, Members, Settings // Uncomment the following line to map query entities is you plan to use this as a detection query //| extend timestamp = TimeGenerated, AccountCustomEntity = UserId
Explanation
This query is looking for single users who have deleted multiple teams. It allows you to adjust the maximum number of teams that should be deleted before including a user in the results, as well as the time window for the query. It first identifies the users who have deleted more than the specified maximum number of teams, and then retrieves the OfficeActivity records for those users where the operation is "TeamDeleted". It extends the query to include the TeamGuid and removes unnecessary columns from the results.
Details
Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
Users,Teams
Operators
whereletOfficeActivityTimeGeneratedagoOperation=~summarizecount()bywherecount_projectextendtostringproject-away