Microsoft Teams

Communication and Collaboration

App: Microsoft Teams - Collaboration platform with chat, video meetings, and file sharing.

To document the Detection Rules for Microsoft Teams effectively, you can use a structured table format or a clear bulleted list. Below is a suggested format that captures all the necessary details, providing clarity on detection scenarios, criteria, and steps. Here’s an example:

Detection Rules for Microsoft Teams

Detection Rule MITRE Tactic MITRE Technique Criticality
Suspicious File Sharing Activity Exfiltration, Command and Control T1071: Application Layer Protocol High
Description Detect if files with unusual extensions (e.g., .exe, .bat) are shared in Teams channels or chats.
Filters Applied Filter file types, users with unusual behavior (e.g., frequent uploads), file scan through integrations (e.g., VirusTotal).
Investigation Steps (APIs) Use Microsoft Graph API to pull file metadata (file type, size, sharer).
Integrate VirusTotal API to scan shared files for malware.
Incident Creation Criteria Create an incident if the file is flagged by VirusTotal or if a known malicious file type is shared.
Unauthorized Guest Access Persistence, Initial Access T1078: Valid Accounts Critical
Description Monitor if external/guest users are added to a Team without proper approval or have unusual access patterns.
Filters Applied Monitor guest account logins, team membership changes, and meeting join activities.
Investigation Steps (APIs) Use Microsoft Graph API to review guest access logs.
Check admin activity logs for unusual guest invitations.
Incident Creation Criteria Create an incident if guest access is unauthorized or linked to a privileged account compromise.
Anomalous Meeting Scheduling Patterns Persistence, Privilege Escalation T1098: Account Manipulation Medium
Description Detect unusual meeting scheduling times (outside business hours) or abnormal frequency of meetings.
Filters Applied Detect high meeting frequency with the same attendees or outside business hours.
Investigation Steps (APIs) Query Microsoft Graph API to check meeting details (organizer, participants, meeting time).
Incident Creation Criteria Create an incident if meetings are being scheduled unusually or involve unauthorized attendees.
Suspicious Channel Creation or Deletion Persistence T1098: Account Manipulation Medium
Description Monitor the creation or deletion of channels in Teams, especially during off-hours or by unauthorized users.
Filters Applied Monitor for changes in Teams channels by users who don't usually perform admin activities.
Investigation Steps (APIs) Use Microsoft Graph API to fetch logs for channel creation/deletion activity.
Cross-check if the user has admin privileges.
Incident Creation Criteria Create an incident if unauthorized users are modifying channels, especially outside working hours.
Mass Message Deletion in Chats Defense Evasion, Impact T1070: Indicator Removal on Host High
Description Monitor if a user deletes a large number of messages in a short time within Teams chats.
Filters Applied Filter users deleting more than X number of messages within Y minutes, especially in channels with sensitive information.
Investigation Steps (APIs) Investigate Microsoft Teams logs for message deletion.
Use APIs to restore deleted messages for review if possible.
Incident Creation Criteria Create an incident if the message deletion is found to be malicious or intended to hide important data.
Sensitive Information Sharing in Chats Exfiltration T1567: Exfiltration over Web Services Critical
Description Detect if sensitive information (e.g., credit card numbers, PII) is shared in chat messages.
Filters Applied Use regex patterns to scan chat messages for sensitive information and flag potential exfiltration.
Investigation Steps (APIs) Use regex or DLP tools to scan for sensitive data in chat.
Investigate the context of messages and participants involved.
Incident Creation Criteria Create an incident if sensitive data is shared outside the organization or with unauthorized individuals.
Unusual Login Locations for Teams Initial Access, Credential Access T1078: Valid Accounts, T1105: Remote Services Critical
Description Detect logins to Teams from unusual geographic locations or IPs, especially for privileged users or admin accounts.
Filters Applied GeoIP filtering, unusual login time detection, IP reputation checks.
Investigation Steps (APIs) Use GeoIP API to verify unusual login locations.
Check if the IP is flagged by IP reputation services (e.g., AbuseIPDB).
Incident Creation Criteria Create an incident if the login is from a known malicious IP or a high-risk geographic location.

APIs and Their Scopes

Report Name API Required Scope Required Usage
File Sharing Risk Report Microsoft Graph API Files.Read.All, TeamsActivity.Read Retrieves file sharing data and tracks risky file types shared in Teams channels.

VirusTotal API

Microsoft DLP API

Public/Private API Key

InformationProtectionPolicy.Read

Scans shared files for malware and other malicious content.

Detects data sharing violations based on organizational DLP policies.
Teams Activity Outside Business Hours Report Microsoft Graph API TeamsActivity.Read, Calendars.Read.All Reviews activity logs, including meeting schedules and channel modifications, outside regular work hours.

Log Analytics API (Azure)

LogAnalytics.Read

Queries logs for unusual activity occurring during non-business hours.
Sensitive Information Sharing Report Microsoft Graph API TeamsActivity.Read, Chat.Read.All Scans chat messages for sensitive data such as PII, credit card numbers, and other regulated information.

Microsoft DLP API

InformationProtectionPolicy.Read

Detects and prevents the sharing of sensitive data as per organizational compliance policies.
Login Activity by Geo-location Report GeoIP Lookup API Public API Key Tracks geographic locations of login attempts and flags unusual locations.

Microsoft Identity Protection API

AbuseIPDB API (IP Reputation)

User.Read.All, SecurityEvents.Read.All

API Key

Detects anomalous logins and provides insights into potential account compromise from unusual locations.

Checks login IP addresses against known malicious or suspicious IP databases.
Anomalous Meeting and Messaging Activity Report Microsoft Graph API TeamsActivity.Read, Calendars.Read.All, ChannelMessage.Read.All Investigates high-frequency meeting schedules and messaging behaviors, including abnormal deletions.

Microsoft Teams Reports API

Reports.Read.All

Provides historical data and anomaly detection for meeting and messaging trends.

Reports and Widgets for CISO

Report Name Widgets Description
File Sharing Risk Report Top shared files by risk level Summarizes risky file-sharing activities and detects malicious or suspicious files shared in Teams.

File sharing trends over time

High-risk file types detected
Guest Access Monitoring Guest account login map Highlights unusual guest access patterns, focusing on unauthorized or suspicious guest user behavior.

Top guest users by access frequency

Suspicious guest access trends
Teams Activity Outside Business Hours Meeting scheduling activity outside business hours Tracks abnormal activities like meeting scheduling, channel management, and logins occurring outside normal hours.

Channel creation trends

Off-hours login map
Sensitive Information Sharing Report Sensitive data shared in chats Detects sensitive information shared in chat, highlighting users and teams most involved in potential data leaks.

Top users sharing sensitive data

Sensitive data sharing trends
Login Activity by Geo-location Login heat map Visualizes login activities across geographic locations, highlighting unusual or high-risk login attempts.

Suspicious login attempts by location

Admin logins by location
Anomalous Meeting and Messaging Activity Frequent meetings outside business hours Tracks abnormal meeting scheduling or messaging behavior to detect misuse or unauthorized collaboration activities.

High-volume messaging users

Top message deletion events