Query Details
Teams Suspicious Elevationof Privileges
Query
//Suspicious behaviour related to elevation of Teams privileges // Adjust this value to change how many teams a user is made owner of before detecting let max_owner_count = 3; // Change this value to adjust how larger timeframe the query is run over. let time_window = 1d; let high_owner_count = (OfficeActivity | where TimeGenerated > ago(time_window) | where Operation =~ "MemberRoleChanged" | extend Member = tostring(parse_json(Members)[0].UPN) | extend NewRole = toint(parse_json(Members)[0].Role) | where NewRole == 2 | summarize dcount(TeamName) by Member | where dcount_TeamName > max_owner_count | project Member); OfficeActivity | where TimeGenerated > ago(time_window) | where Operation =~ "MemberRoleChanged" | extend Member = tostring(parse_json(Members)[0].UPN) | extend NewRole = toint(parse_json(Members)[0].Role) | where NewRole == 2 | where Member in (high_owner_count) | extend TeamGuid = tostring(Details.TeamGuid) // Uncomment the following line to map query entities is you plan to use this as a detection query //| extend timestamp = TimeGenerated, AccountCustomEntity = Member
Explanation
This query is looking for suspicious behavior related to the elevation of Teams privileges. It checks for users who have been made owners of a certain number of teams within a specified timeframe. The number of teams and timeframe can be adjusted. The query then looks for any member role changes where the new role is 2 (owner) and the member is in the list of users with a high owner count. It also includes the TeamGuid and can be used as a detection query by uncommenting a line.
Details
Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
Devices,Intune,User
Operators
letmax_owner_counttime_windowagoOfficeActivitywhereTimeGeneratedOperation=~MemberRoleChangedextendMembertostringparse_jsonMembers[0].UPNNewRoletoint[0].RolesummarizedcountTeamNamebyprojectinDetails.TeamGuiduncommentextendtimestampAccountCustomEntity