Link Search Menu Expand Document

Teams_External_Access_Enabled

ID: 100419

Description:

External access was enabled in Microsoft Teams

Repository: Group: Office365ES Type: event

Default Status:

Enabled

Tags:
O365
 

Selector:

Query:

Filters:

Field MUST hit
input.type o365audit
o365.audit.Operation Set-CsTenantFederationConfiguration
o365.audit.Workload SkypeForBusiness
  MicrosoftTeams
o365.audit.ResultStatus Succeeded
o365.audit.audit.Parameters.AllowFederatedUsers True
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
o365.audit.UserId username security alert

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
IP o365.audit.ClientIP
City _ip.city
Country _ip.country
UserName o365.audit.UserId
Message @message

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 2 days o365.audit.UserId
  Risks: ML_NEW_USER
NewIP 1 day o365.audit.ClientIP
  Risks: ML_NEW_IP
NewCity 3 days _ip.city
  Risks: ML_NEW_GEO_CITY
NewCountry 5 days _ip.country
  Risks: ML_NEW_GEO_COUNTRY

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)