Microsoft Sentinel SOC 101: How to Detect and Mitigate Multiple Microsoft Teams Deleted by a Single User with Microsoft Sentinel
There's no Z in Teamz
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
How to Detect Multiple Teams Deletion with Microsoft Sentinel
Microsoft Teams is a popular collaboration platform that allows users to communicate, share files, and work on projects together. However, Teams also poses some security risks, such as data loss, unauthorized access, or malicious deletion. One of the scenarios that security teams should be aware of is the possibility of an attacker or a compromised user deleting multiple teams in a short period of time, which can cause disruptions and jeopardize projects and data.
In this post, I’ll show you how to use Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution, to detect and respond to multiple Teams deletion events in your organization. I’ll will cover the following topics:
How to collect Teams activity logs in Microsoft Sentinel
How to write a custom analytics rule to detect multiple teams deletion
How to create an incident and investigate the alert
How to remediate the threat and prevent future attacks
Collecting Teams Activity Logs in Microsoft Sentinel
The first step in detecting multiple Teams deletion is to collect the relevant data from Teams into Microsoft Sentinel. Teams activity data is exposed in the Office 365 Audit log under the Audit.General subscription. By default, audit logs are not collected for Office 365 tenants, so you need to enable this feature first. You can follow the instructions here to enable the Office 365 audit log.
Once audit logging is enabled, you can use the built-in Office 365 data connector in Microsoft Sentinel to ingest Teams data along with other Office 365 data. To enable the Office 365 data connector, follow these steps:
In Microsoft Sentinel, go to Data connectors and select Office 365.
In the Office 365 connector page, click Open connector page.
In the Configuration tab, select the subscriptions that you want to collect data from. For Teams data, make sure Audit.General is selected.
Click Apply changes.
You can also use PowerShell cmdlets or Graph APIs to create and manage the Office 365 data connector programmatically. For more information, see this article.
Writing a Custom Analytics Rule to Detect Multiple Teams Deletion
The next step is to write a custom analytics rule in Microsoft Sentinel that will run a query periodically on the collected Teams data and generate an alert if it detects multiple teams deletion by a single user. To create a custom analytics rule, follow these steps:
In Microsoft Sentinel, go to Analytics and select Create > Scheduled query rule.
In the Rule details tab, enter a name and a description for your rule. For example, you can name it “Multiple Teams Deletion” and describe it as “Detects when a user deletes more than 5 teams within an hour”.
In the Set rule logic tab, enter one of the following queries in the Query field:
Detecting multiple Teams deletion by a single user:
OfficeActivity
| where TimeGenerated > ago(1h)
| where Operation =~ \"TeamDeleted\"
| summarize count() by UserId
| where count_ > 5
Detecting multiple Teams deletion from a single IP address:
OfficeActivity
| where TimeGenerated > ago(1h)
| where Operation =~ \"TeamDeleted\"
| summarize count() by ClientIP
| where count_ > 5
These queries filter the OfficeActivity table for events where a team was deleted in the last hour, group them by user ID or client IP, and count how many teams each user or IP address deleted. Then it filters out any user or IP address that deleted less than or equal to 5 teams.
In the same tab, set the following parameters for your query:
Entity mapping: Map UserId to Account
Alert volume: Select Medium
Alert frequency: Select Every hour
Trigger alert: Select When greater than 0 results
These parameters will define how often your query will run, how many alerts it will generate, and what conditions will trigger an alert.
In the Incident settings tab, set the following parameters for your incident:
Grouping method: Select Group alerts into incidents by entities
Incident name format: Enter “Multiple Teams Deletion by {Account}”
Severity: Select High
Status: Select New
These parameters will define how your alerts will be grouped into incidents, what name and severity they will have, and what status they will start with.
In the Review tab, review your rule settings and click Create.
You have now created a custom analytics rule that will detect multiple teams deletion events in your organization.
Creating an Incident and Investigating the Alert
Once your custom analytics rule is created and enabled, it will start running your query every hour and generate an alert if it detects multiple teams deletion by a single user. The alert will be grouped into an incident with a high severity and a new status. You can view your incidents in Microsoft Sentinel by going to Incidents.
To create an incident manually from an alert, follow these steps:
In Microsoft Sentinel, go to Alerts and select the alert that you want to create an incident from.
In the Alert details pane, click Create incident.
In the Create incident dialog box, enter a name for your incident, select a severity, and click Create.
To investigate an incident, follow these steps:
In Microsoft Sentinel, go to Incidents and select the incident that you want to investigate.
In the Incident details page, you can see the following information:
Summary: Shows the basic information about the incident, such as name, severity, status, owner, etc.
Alerts: Shows the alerts that are grouped into the incident, along with their details and entities.
Entities: Shows the entities that are involved in the incident, such as accounts, hosts, IP addresses, etc. You can click on each entity to see more information and actions.
Timeline: Shows the chronological sequence of events and activities related to the incident. You can add comments, bookmarks, or custom events to the timeline.
Bookmarks: Shows the bookmarks that are associated with the incident. Bookmarks are a way to save and annotate interesting events or entities during your investigation.
User feedback: Shows the feedback that users have provided on the incident, such as false positive or true positive.
To investigate the incident further, you can use the following features:
Investigation graph: Shows a graphical representation of the entities and connections related to the incident. You can expand each entity to see more details and related entities. You can also run playbooks or take actions on each entity.
Notebooks: Shows a collection of Jupyter notebooks that you can use to perform advanced analysis and automation on your data. You can use existing notebooks or create your own notebooks using Python or PowerShell.
Workbooks: Shows a collection of interactive reports and dashboards that you can use to visualize and monitor your data. You can use existing workbooks or create your own workbooks using KQL or JSON.
Remediating the Threat and Preventing Future Attacks
After investigating an incident, you should take appropriate actions to remediate the threat and prevent future attacks. Some of the actions that you can take are:
Change the password or disable the account of the user who deleted multiple teams
Restore the deleted teams from the Teams admin center
Review the permissions and roles of your Teams users and owners
Enable multi-factor authentication (MFA) for your Teams users
Educate your Teams users on how to spot and report phishing or malicious emails
Create or update your security policies and procedures for Teams usage
You can also use automation playbooks in Microsoft Sentinel to perform some of these actions automatically or semi-automatically. Playbooks are a collection of logic apps that can be triggered by certain conditions or events, such as an alert or an incident. You can use existing playbooks or create your own playbooks using Azure Logic Apps.
Summary
In this section, I’ve discussed how to use Microsoft Sentinel to detect and respond to multiple Teams deletion events in your organization. I have covered how to collect Teams activity logs in Microsoft Sentinel, how to write a custom analytics rule to detect multiple Teams deletion, how to create an incident and investigate the alert, and how to remediate the threat and prevent future attacks.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]