Azure · mmelndezlujn · Jan 4, 2024 · Jan 5, 2024 · Jan 5, 2024 · Jan 9, 2024
@@ -1,8 +1,8 @@
 id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b
 name: Accessed files shared by temporary external user
 description: |
-  'This detection identifies an external user is added to a Team or Teams chat
-  and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be
+  'This detection identifies when an external user is added to a Team or Teams chat
+  and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be
   an indicator of suspicious activity.'
 severity: Low
 status: Available 
@@ -26,17 +26,17 @@ query: |
  OfficeActivity
   | where OfficeWorkload =~ "MicrosoftTeams"
   | where Operation =~ "MemberAdded"
-  | extend UPN = tostring(parse_json(Members)[0].UPN)
-  | where UPN contains ("#EXT#")
-  | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
+  | extend MemberAdded = tostring(parse_json(Members)[0].UPN)
+  | where MemberAdded contains ("#EXT#")
+  | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName
   | join kind = inner(
                         OfficeActivity
                         | where OfficeWorkload =~ "MicrosoftTeams"
                         | where Operation =~ "MemberRemoved"
-                        | extend UPN = tostring(parse_json(Members)[0].UPN)
-                        | where UPN contains ("#EXT#")
-                        | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
-                      ) on UPN
+                        | extend MemberAdded = tostring(parse_json(Members)[0].UPN)
+                        | where MemberAdded contains ("#EXT#")
+                        | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName
+                      ) on MemberAdded
   | where TimeDeleted > TimeAdded
   | join kind=inner 
                     (
@@ -53,11 +53,13 @@ query: |
                                         | summarize FileAccessCount = count() by OfficeObjectId
                                         | where FileAccessCount > fileAccessThrehold
                                         ) on $left.OfficeObjectId == $right.OfficeObjectId
-                    )on $left.UPN == $right.UserId
-  | extend AccountName = tostring(split(UserWhoAdded, "@")[0]), AccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
+                    )on $left.MemberAdded == $right.UserId
+  | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: MemberAdded
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -66,5 +68,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.2
+version: 2.0.3
 kind: Scheduled
@@ -24,25 +24,31 @@ query: |
   | where Operation == Op
   | where Members has ("#EXT#")
   | mv-expand Members
-  | extend UPN = tostring(Members.UPN)
-  | where UPN has ("#EXT#")
-  | project TimeGenerated, Operation, UPN, UserId, TeamName
+  | extend MemberAdded = tostring(Members.UPN)
+  | where MemberAdded has ("#EXT#")
+  | project TimeGenerated, Operation, MemberAdded, UserId, TeamName, ClientIP
   };
   let TeamsAdd = TeamsAddDel("MemberAdded")
-  | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName;
+  | project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName, ClientIP;
   let TeamsDel = TeamsAddDel("MemberRemoved")
-  | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName;
+  | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName, ClientIP;
   TeamsAdd
-  | join kind=inner (TeamsDel) on UPN
+  | join kind=inner (TeamsDel) on MemberAdded
   | where TimeDeleted > TimeAdded
-  | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName
-  | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1])
+  | project TimeAdded, TimeDeleted, MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP
+  | extend AccountName = tostring(split(MemberAdded, "@")[0]), AccountUPNSuffix = tostring(split(MemberAdded, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: MemberAdded
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
         columnName: AccountUPNSuffix
-version: 2.0.1
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+version: 2.0.2
 kind: Scheduled
@@ -37,6 +37,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -45,5 +47,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 2.0.2
+version: 2.0.3
 kind: Scheduled
@@ -41,6 +41,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -53,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIPAddress
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled
@@ -25,15 +25,21 @@ query: |
     OfficeActivity
   | where OfficeWorkload =~ "MicrosoftTeams"
   | where Operation =~ "TeamDeleted"
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId, ClientIP
   | where array_length(DeletedTeams) > max_delete_count
   | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
         columnName: AccountUPNSuffix
-version: 2.0.3
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+version: 2.0.4
 kind: Scheduled
@@ -45,6 +45,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -53,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.2
+version: 2.0.3
 kind: Scheduled
@@ -56,6 +56,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -72,5 +74,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: FileNames       
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled
@@ -27,6 +27,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -39,5 +41,5 @@ entityMappings:
     fieldMappings:
       - identifier: AppId
         columnName: AppId
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled
@@ -53,6 +53,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -65,5 +67,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Site_Url
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled
@@ -65,6 +65,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: UserIdName
       - identifier: UPNSuffix
@@ -77,5 +79,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Site_Url
-version: 2.2.2
+version: 2.2.3
 kind: Scheduled
@@ -33,6 +33,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -43,5 +45,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled
@@ -48,6 +48,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -56,5 +58,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.2
+version: 2.0.3
 kind: Scheduled
@@ -29,6 +29,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -55,5 +57,5 @@ incidentConfiguration:
     - Account
     groupByAlertDetails: []
     groupByCustomDetails: []
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -29,6 +29,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName 
+        columnName: UserId
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -55,5 +57,5 @@ incidentConfiguration:
     - Account
     groupByAlertDetails: []
     groupByCustomDetails: []
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -39,6 +39,8 @@ query: |
 entityMappings:
   - entityType: Host
     fieldMappings:
+      - identifier: FullName 
+        columnName: CompromisedEntity
       - identifier: HostName
         columnName: HostName
       - identifier: DnsDomain
@@ -47,5 +49,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: PublicIP
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -36,6 +36,8 @@ query: |
 entityMappings:
   - entityType: Host
     fieldMappings:
+      - identifier: FullName 
+        columnName: CompromisedEntity
       - identifier: HostName
         columnName: HostName
       - identifier: DnsDomain
@@ -44,5 +46,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: PublicIP
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -28,9 +28,11 @@ query: |
 entityMappings:
   - entityType: Host
     fieldMappings:
+      - identifier: FullName 
+        columnName: CompromisedEntity
       - identifier: HostName
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.1.2
+version: 1.1.4
 kind: Scheduled