The Microsoft Teams usage has been growing exponentially in this year. Earlier this year Microsoft announced “We saw more than 200 million meeting participants in a single day this month, generating more than 4.1 billion meeting minutes. Teams now have more than 75 million daily active users”. These numbers are extraordinary!

In general, the Microsoft Cloud App Security (MCAS) gives brilliant visibility in cloud apps and users. In the Office 365 audit context, MCAS receives the same audit trail data from O365 workloads than you can see in the O365 Unified Audit Log (UAL) from the supported apps. Taking that into account I’m only scratching a surface in this blog in Microsoft Teams monitoring because the focus is in the newest MCAS policy template additions, not all possible audited activities.

In the release 170 & 171, three (3) new activity policy templates published for Microsoft Teams:

  • Access level change
  • External user added
  • Mass deletion
This image has an empty alt attribute; its file name is 1.png

Background Information

Cloud App Security integrates directly with Office 365’s audit logs and receives all audited events from all supported services, such as Teams, PowerApps, Forms, Sway, and Stream. This means that it receives Teams activity through O365 API that contains all the audit data. Supported apps are:

  • Dynamics 365 CRM
  • Exchange
    • only appears after activities from Exchange are detected in the portal, and requires you to turn on auditing
  • Office 365
  • OneDrive
  • Power Automate
  • Power BI
    • only appears after activities from Power BI are detected in the portal, and requires you to turn on auditing
  • SharePoint
  • Skype for Business
  • Teams
    • only appears after activities from Teams are detected in the portal)
  • Yammer

When we are talking about API’s there is some latency for receiving the audit data. Based on my experience it can be from minutes to hours, slightly depending on the workload.

The Microsoft Teams audit data is found pretty fast from MCAS Activity Log (5-15min). According to Microsoft: “It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search”.

This image has an empty alt attribute; its file name is image-1.png
Teams audit trail latency

Pre-Requisites

Activate Teams Policies

Teams policy templates are found from MCAS underneath the “Control – Templates” section. Worth to mention is that these policies are underneath the “Activity Policy” category. What it means exactly according to Microsoft:

An Activity policy is an API-based policy that enables you to monitor your organization’s activities in the cloud. The policy takes into account over 20 file metadata filters including device type and location. Based on the policy results, notifications can be generated and users can be suspended from the cloud app. More information found here.

Did you know that MCAS has 20 built-in policy templates and more than 60 policies enabled out of the box?

Activity Policy & Teams category templates

Access Level Change

I noticed that the default “Acces Level Change” template doesn’t work in my tenant. When tried to activate received internal server error

Workaround – create custom policy with same name and configuration to achieve same end result.

This image has an empty alt attribute; its file name is 4.png

External User Added

This policy triggers an alert when external user is added to the Teams. Some of the tenants might have this feature disabled, see this link for more details.

This image has an empty alt attribute; its file name is 16-1.png

Mass Deletion Of Teams

This policy triggers an alert when an activity is “TeamDeleted” and thresholds defined in the policy are reached. For testing purposes, I defined minimum repeated activity from 10 to 2.

This image has an empty alt attribute; its file name is 17-1.png

Testing Policies

Access Level Change

Detection

My demo user Peter as owner permission changed Team’s access level through a browser from private to public. In the Activity policy category it doesn’t matter are you using the browser or native client because this information is received from O365 API, not through the proxy session.

As you can see, there are multiple alerts from access level change and in raw data, we can see that the Teams access level was turned in “public” mode.

External User Added

If your tenant allows members, admins, or guests to invite external users to the tenant and Teams admins allows inviting guest users to the Teams then this policy might be interesting, see this to check pre-requisites.

According to Microsoft: “Attackers with some level of existing access might try to add an external account to Teams to access or exfiltrate data before removing that user to hide the access”.

Detection

In this scenario, two external users were added to the Teams.

Alert notification and audit data from MCAS and Unified Audit Log

Mass Deletion

The “Mass Deletion” template has default values of 50 repeated activities within 1min timeframe. Adjust these values based on your needs. I reduced the repeated activity from 50 to 10 to detect activity easier in the demo tenant.

Detection Summary

The Cloud App Security activity policies are very useful for detecting suspicious activities in the cloud. The only downside is latency when receiving the audit data from the API.

Based on tests I made in my demo environment Teams data came quite quickly from the O365 API but for example end of 2019 when did Power BI study (with my colleague @PitkarantaM) latency was an issue, it was hours.

I wrote above that Cloud App Security integrates directly with Office 365’s audit logs and receives all audited events from all supported services. This is interesting stuff in my opinion and leads me to the audit source, the Unified Audit Log. I’m currently creating a spreadsheet of O365 audited events. If you would like to have it when it’s ready, please drop me an email.

Until next time!