Microsoft 365 Teams Guest Access Enabled

 1[metadata]
 2creation_date = "2020/11/20"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization
11to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.
12"""
13false_positives = [
14    """
15    Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was
16    expected. Exceptions can be added to this rule to filter expected behavior.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Teams Guest Access Enabled"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28    "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps",
29]
30risk_score = 47
31rule_id = "5e552599-ddec-4e14-bad1-28aa42404388"
32severity = "medium"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
39event.category:web and event.action:"Set-CsTeamsClientConfiguration" and
40o365.audit.Parameters.AllowGuestUser:True and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1098"
48name = "Account Manipulation"
49reference = "https://attack.mitre.org/techniques/T1098/"
50
51
52[rule.threat.tactic]
53id = "TA0003"
54name = "Persistence"
55reference = "https://attack.mitre.org/tactics/TA0003/"