Microsoft 365 Teams Custom Application Interaction Allowed

 1[metadata]
 2creation_date = "2020/11/30"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than
11those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may
12abuse this behavior to establish persistence in an environment.
13"""
14false_positives = [
15    """
16    Custom applications may be allowed by a system or network administrator. Verify that the configuration change was
17    expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Teams Custom Application Interaction Allowed"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"]
29risk_score = 47
30rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.provider:MicrosoftTeams and
38event.category:web and event.action:TeamsTenantSettingChanged and
39o365.audit.Name:"Allow sideloading and interaction of custom apps" and
40o365.audit.NewValue:True and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"