Microsoft 365 Teams Guest Access Enabled
Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/20"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization
13to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.
14"""
15false_positives = [
16 """
17 Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was
18 expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Teams Guest Access Enabled"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps",
31]
32risk_score = 47
33rule_id = "5e552599-ddec-4e14-bad1-28aa42404388"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
41event.category:web and event.action:"Set-CsTeamsClientConfiguration" and
42o365.audit.Parameters.AllowGuestUser:True and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1098"
50name = "Account Manipulation"
51reference = "https://attack.mitre.org/techniques/T1098/"
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
The TeamsClientConfiguration allows IT admins to control the settings that can be accessed via Teams clients across their organization. This configuration includes settings like which third party cloud storage your organization allows, whether or not guest users can access the teams client, and how Surface Hub devices can interact with Skype for Business meetings. This cmdlet allows IT admins to retrieve the effective configuration for their organization. Use in conjunction with Set-CsTeamsClientConfiguration to update the settings in your organization.
Read More
Related rules
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- O365 Exchange Suspicious Mailbox Right Delegation
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification