Microsoft 365 Teams External Access Enabled
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/30"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
13communicate with other users that are outside their organization. An adversary may enable external access or add an
14allowed domain to exfiltrate data or maintain persistence in an environment.
15"""
16false_positives = [
17 """
18 Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
19 expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Teams External Access Enabled"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
31risk_score = 47
32rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
33severity = "medium"
34tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
40event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
41o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1098"
49name = "Account Manipulation"
50reference = "https://attack.mitre.org/techniques/T1098/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
For IT admins - Learn how to configure chat and meetings with people outside your organization who use Microsoft Entra ID, Microsoft Teams Essentials, or Skype.
Read More
Related rules
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams Guest Access Enabled
- O365 Exchange Suspicious Mailbox Right Delegation
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification