Microsoft Teams
Communication and Collaboration
App: Microsoft Teams - Collaboration platform with chat, video meetings, and file sharing.
To document the Detection Rules for Microsoft Teams effectively, you can use a structured table format or a clear bulleted list. Below is a suggested format that captures all the necessary details, providing clarity on detection scenarios, criteria, and steps. Here’s an example:
Detection Rules for Microsoft Teams
Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Suspicious File Sharing Activity | Exfiltration, Command and Control | T1071: Application Layer Protocol | High | ||||||||||
|
|||||||||||||
Unauthorized Guest Access | Persistence, Initial Access | T1078: Valid Accounts | Critical | ||||||||||
|
|||||||||||||
Anomalous Meeting Scheduling Patterns | Persistence, Privilege Escalation | T1098: Account Manipulation | Medium | ||||||||||
|
|||||||||||||
Suspicious Channel Creation or Deletion | Persistence | T1098: Account Manipulation | Medium | ||||||||||
|
|||||||||||||
Mass Message Deletion in Chats | Defense Evasion, Impact | T1070: Indicator Removal on Host | High | ||||||||||
|
|||||||||||||
Sensitive Information Sharing in Chats | Exfiltration | T1567: Exfiltration over Web Services | Critical | ||||||||||
|
|||||||||||||
Unusual Login Locations for Teams | Initial Access, Credential Access | T1078: Valid Accounts, T1105: Remote Services | Critical | ||||||||||
|
APIs and Their Scopes
Report Name | API Required | Scope Required | Usage |
---|---|---|---|
File Sharing Risk Report | Microsoft Graph API | Files.Read.All, TeamsActivity.Read | Retrieves file sharing data and tracks risky file types shared in Teams channels. |
VirusTotal API Microsoft DLP API |
Public/Private API Key InformationProtectionPolicy.Read |
Scans shared files for malware and other malicious content. Detects data sharing violations based on organizational DLP policies. |
|
Teams Activity Outside Business Hours Report | Microsoft Graph API | TeamsActivity.Read, Calendars.Read.All | Reviews activity logs, including meeting schedules and channel modifications, outside regular work hours. |
Log Analytics API (Azure) |
LogAnalytics.Read |
Queries logs for unusual activity occurring during non-business hours. |
|
Sensitive Information Sharing Report | Microsoft Graph API | TeamsActivity.Read, Chat.Read.All | Scans chat messages for sensitive data such as PII, credit card numbers, and other regulated information. |
Microsoft DLP API |
InformationProtectionPolicy.Read |
Detects and prevents the sharing of sensitive data as per organizational compliance policies. |
|
Login Activity by Geo-location Report | GeoIP Lookup API | Public API Key | Tracks geographic locations of login attempts and flags unusual locations. |
Microsoft Identity Protection API AbuseIPDB API (IP Reputation) |
User.Read.All, SecurityEvents.Read.All API Key |
Detects anomalous logins and provides insights into potential account compromise from unusual locations. Checks login IP addresses against known malicious or suspicious IP databases. |
|
Anomalous Meeting and Messaging Activity Report | Microsoft Graph API | TeamsActivity.Read, Calendars.Read.All, ChannelMessage.Read.All | Investigates high-frequency meeting schedules and messaging behaviors, including abnormal deletions. |
Microsoft Teams Reports API |
Reports.Read.All |
Provides historical data and anomaly detection for meeting and messaging trends. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
File Sharing Risk Report | Top shared files by risk level | Summarizes risky file-sharing activities and detects malicious or suspicious files shared in Teams. |
File sharing trends over time High-risk file types detected |
||
Guest Access Monitoring | Guest account login map | Highlights unusual guest access patterns, focusing on unauthorized or suspicious guest user behavior. |
Top guest users by access frequency Suspicious guest access trends |
||
Teams Activity Outside Business Hours | Meeting scheduling activity outside business hours | Tracks abnormal activities like meeting scheduling, channel management, and logins occurring outside normal hours. |
Channel creation trends Off-hours login map |
||
Sensitive Information Sharing Report | Sensitive data shared in chats | Detects sensitive information shared in chat, highlighting users and teams most involved in potential data leaks. |
Top users sharing sensitive data Sensitive data sharing trends |
||
Login Activity by Geo-location | Login heat map | Visualizes login activities across geographic locations, highlighting unusual or high-risk login attempts. |
Suspicious login attempts by location Admin logins by location |
||
Anomalous Meeting and Messaging Activity | Frequent meetings outside business hours | Tracks abnormal meeting scheduling or messaging behavior to detect misuse or unauthorized collaboration activities. |
High-volume messaging users Top message deletion events |