Microsoft 365 Teams External Access Enabled
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/30"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
11communicate with other users that are outside their organization. An adversary may enable external access or add an
12allowed domain to exfiltrate data or maintain persistence in an environment.
13"""
14false_positives = [
15 """
16 Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
17 expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Teams External Access Enabled"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
29risk_score = 47
30rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
38event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
39o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1098"
47name = "Account Manipulation"
48reference = "https://attack.mitre.org/techniques/T1098/"
49
50
51[rule.threat.tactic]
52id = "TA0003"
53name = "Persistence"
54reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams Guest Access Enabled
- O365 Exchange Suspicious Mailbox Right Delegation
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created