If you wanted to have Microsoft Teams events audit data to Azure Sentinel before it was possible by utilizing Azure features (Logic App). But for now, there is a native Microsoft Teams data included in the O365 data connector available (published 08/31/2020) in Azure Sentinel, at the time of writing in public preview mode.

According to Microsoft “This feature is provided without a service level agreement, and it’s not recommended for production workloads. Certain features might not be supported or might have constrained capabilities”.

Worth to mention is, because the Teams activities are part of the O365 data connector it’s a free ingestion source.

Picture from Azure Sentinel “Workspace Usage Report” workbook

Pre-Requirements

Pre-requisites can be found here. Navigate to Azure Sentinel Office 365 “Data connectors”

Select Microsoft Teams to be included on the data set together with Exchange Online & Sharepoin Online.

Verify data flow

Data should be in the underlying Log Analytics workspace in 20 minutes after enabling the data flow. It can be verified from the connector itself or from the Log Analytics workspace with KQL.

Teams activities from the Log Analytics workspace and from Unified Audit Log, some differences are found after 30min (SLA for Teams audit data in O365 Management Activity API).

Teams activity data is also found from the Unified Audit Log in the O365 side. As you can see, some differences are found even though all activities should be found from both solutions (UAL & Mgmt API). Disclaimer: I didn’t do a comparison between the events.

Activities And Log Schema

A couple of weeks ago I wrote a blog post about “O365 Activities Visibility in MCAS”. Both Microsoft Cloud App Security & Azure Sentinel connect to O365 Management Activity API to get the activity data. The Teams activity data resides in Audit.general category. It means that the following activities are found from the audit data in O365 Management Activity API:

  • Friendly name
  • Added bot to team
  • Added channel
  • Added connector
  • Added members
  • Added tab
  • Changed channel setting
  • Changed organization setting
  • Changed role of members in team
  • Added bot to team
  • Added channel
  • Added connector
  • Added members
  • Added tab
  • Changed channel setting
  • Changed organization setting
  • Changed role of members in team
  • Changed team setting
  • Created team
  • Deleted all organization apps
  • Deleted app
  • Deleted channel
  • Deleted team
  • Installed app
  • Performed action on card
  • Published app
  • Removed bot from team
  • Removed connector
  • Removed members
  • Removed tab
  • Uninstalled app
  • Updated app
  • Updated connector
  • Updated tab
  • Upgraded app
  • User signed in to Teams

O365 Management Activity API Teams Schema

Teams schema contains the following parameters.

References

Azure Sentinel O365 Data Connector

Teams Hunting Queries

Antonio Formato blog contains KQL queries for typical Teams use cases