Microsoft 365 Teams Custom Application Interaction Allowed
Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/30"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than
13those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may
14abuse this behavior to establish persistence in an environment.
15"""
16false_positives = [
17 """
18 Custom applications may be allowed by a system or network administrator. Verify that the configuration change was
19 expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Teams Custom Application Interaction Allowed"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"]
31risk_score = 47
32rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: Microsoft 365",
37 "Use Case: Configuration Audit",
38 "Tactic: Persistence",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:MicrosoftTeams and
45event.category:web and event.action:TeamsTenantSettingChanged and
46o365.audit.Name:"Allow sideloading and interaction of custom apps" and
47o365.audit.NewValue:True and event.outcome:success
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Learn how to upload your custom app in Microsoft Teams. Custom app upload is common when testing and debugging an app during development.
Read More
Related rules
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- O365 Exchange Suspicious Mailbox Right Delegation
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification