%3CLINGO-SUB%20id%3D%22lingo-sub-1574600%22%20slang%3D%22en-US%22%3ESecure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1574600%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20blog%20is%20authored%20and%20technically%20implemented%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F49603%22%20target%3D%22_blank%22%3E%40Hesham%20Saad%3C%2FA%3E%26nbsp%3Bwith%20hearty%20thanks%20to%20our%20collaborator%20and%20use-cases%20executive%20mind%20brain%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274274%22%20target%3D%22_blank%22%3E%40yazanouf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3EBefore%20we%20dig%20deep%20on%20monitoring%20TEAMS%20CallRecords%20Activity%20Logs%2C%20please%20have%20a%20look%20at%20%22Protecting%20your%20Teams%20with%20Azure%20Sentinel%22%20blog%20post%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3Bon%20how%20to%20ingest%20TEAMS%20management%20logs%20into%20Azure%20Sentinel%20via%20the%20O365%20Management%20Activity%20API%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1382140238%22%20aria-level%3D%222%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%20id%3D%22toc-hId--1295335927%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECollecting%26nbsp%3BTEAMS%20CallRecords%20Activity%20Data%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EThis%20section%20we%20will%20go%20into%20details%20on%20how%20to%20ingest%20TEAMS%20CallRecords%20activity%20logs%20into%20Azure%20Sentinel%20via%20the%20Microsoft%20Graph%20API%20and%20mainly%20leveraging%20CallRecords%20API%20which%20is%20a%20Graph%20webhook%20API%20that%20will%20give%20access%20to%20the%20Calls%20activity%20logs.%20SOC%20team%26nbsp%3Bcan%20subscribe%20to%20changes%20to%20CallRecords%20via%20Azure%20Sentinel%20and%20using%20the%20Microsoft%20Graph%20webhook%20subscriptions%20capability%2C%20allowing%20them%20to%20build%20near-real-time%20reports%20from%20the%20data%20or%20to%20alert%20on%20specific%20scenarios%20%2C%20use%20cases%20which%20mentioned%20above.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ETechnically%20you%26nbsp%3Bcan%20use%20the%20call%20records%20APIs%20to%20subscribe%20to%20call%20records%20and%20look%20up%20call%20records%20by%20IDs%2C%26nbsp%3Bthe%20call%20records%20API%20is%20defined%20in%20the%20OData%20sub-namespace%2C%26nbsp%3B%3CCODE%3Emicrosoft.graph.callRecords%3C%2FCODE%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ESo%2C%20what%20are%20the%20key%20resources%20types%20returned%20by%20the%20API%20%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20class%3D%22lia-align-center%22%3EResource%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20class%3D%22lia-align-center%22%3EMethods%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20class%3D%22lia-align-center%22%3EDescription%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3ECallRecord%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fcallrecords-callrecord-get%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EGet%20callRecord%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3E%3CSPAN%3ERepresents%20a%20single%20peer-to-peer%20call%20or%20a%20group%20call%20between%20multiple%20participants%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3Esession%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3E-ERR%3AREF-NOT-FOUND-Get%20callRecord%3CBR%20%2F%3E-ERR%3AREF-NOT-FOUND-List%20sessions%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%3E%3CSPAN%3EA%20peer-to-peer%20call%20contains%20a%20single%20session%20between%20the%20two%20participants%20in%20the%20call.%20Group%20calls%20contain%20one%20or%20more%20session%20entities.%20In%20a%20group%20call%2C%20each%20session%20is%20between%20the%20participant%20and%20a%20service%20endpoint.%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3Esegment%3C%2FTD%3E%0A%3CTD%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fcallrecords-callrecord-get%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EGet%20callRecord%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fcallrecords-session-list%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EList%20sessions%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%3EA%20segment%20represents%20a%20media%20link%20between%20two%20endpoints.%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-callrecord%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EcallRecord%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bentity%20represents%20a%20single%20peer-to-peer%20call%20or%20a%20group%20call%20between%20multiple%20participants%2C%20sometimes%20referred%20to%20as%20an%20online%20meeting.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3EA%20peer-to-peer%20call%20contains%20a%20single%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-session%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3Esession%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ebetween%20the%20two%20participants%20in%20the%20call.%20Group%20calls%20contain%20one%20or%20more%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esession%26nbsp%3Bentities.%20In%20a%20group%20call%2C%20each%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esession%26nbsp%3Bis%20between%20the%20participant%20and%20a%20service%20endpoint.%20Each%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esession%26nbsp%3Bcontains%20one%20or%20more%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-segment%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3Esegment%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eentities.%20A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esegment%26nbsp%3Brepresents%20a%20media%20link%20between%20two%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-endpoint%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3Eendpoints%3C%2FA%3E.%20For%20most%20calls%2C%20only%20one%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esegment%26nbsp%3Bwill%20be%20present%20for%20each%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esession%2C%20however%20sometimes%20there%20may%20be%20one%20or%20more%20intermediate%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eendpoints.%20For%20more%20details%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-callrecord%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eclick%20here%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBelow%20is%20the%20main%20architecture%20diagram%20including%20the%20components%20to%20deploy%20Teams%20CallRecords%20Activity%20Logs%20Connector%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TEAMSGraphDiagramArchitecture.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211104i4159F1F1C52BF6E0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TEAMSGraphDiagramArchitecture.PNG%22%20alt%3D%22TEAMSGraphDiagramArchitecture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--1808471753%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%20id%3D%22toc-hId-1893241484%22%3EDeployment%20steps%3A%3C%2FH4%3E%0A%3CH4%20id%3D%22toc-hId-679041080%22%20aria-level%3D%223%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%20id%3D%22toc-hId-85787021%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERegister%20an%20App%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20and%20register%20Azure%20AD%20APP%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehandle%26nbsp%3Bthe%20aut%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehentication%20and%20authorization%26nbsp%3Bto%20collect%26nbsp%3Bdata%20from%26nbsp%3Bthe%20Graph%20API.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BHere%20are%20the%20steps%20-%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enavigate%26nbsp%3Bto%26nbsp%3Bthe%20Azure%20Active%20Directory%20blade%20of%20your%20Azure%20portal%20and%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfollow%26nbsp%3Bthe%20steps%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20class%3D%22lia-list-style-type-lower-alpha%22%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp%20Registrations%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%26nbsp%3B%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENew%20Registration%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGive%20it%26nbsp%3Ba%20name%20and%20c%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elick%20Register.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAPI%20Permissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eb%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elade.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%20a%20Permission%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Graph%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApplication%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AFPermissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESearch%20for%20'CallRecords'%2C%20Check%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECallRecords.Read.All%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Also%2C%20Search%20for%20'Directory'%20and%20Check%20Directory.ReadWrite.All%20and%20'Click%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%26nbsp%3Bpermissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Egrant%26nbsp%3Badmin%20consent%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECertificates%20and%20Secrets%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENew%20Client%26nbsp%3BSecret%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEnter%20a%20description%2C%20select%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enever%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Click%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E-%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20copy%20next%26nbsp%3Bto%26nbsp%3Bthe%20new%20secret%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estore%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bit%26nbsp%3Bsomewhere%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etemporarily%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20You%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3C%2FSPAN%3Ecannot%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AFcome%20back%26nbsp%3Bto%20get%26nbsp%3Bthe%20secret%26nbsp%3Bonce%20you%20leave%26nbsp%3Bthe%20blade.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECopy%26nbsp%3Bthe%20client%26nbsp%3BId%20from%26nbsp%3Bthe%20application%20properties%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estore%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bit.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eopy%26nbsp%3Bthe%26nbsp%3Btenant%26nbsp%3BId%20from%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emain%20Azure%20Active%20Directory%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eblade%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20store%20it%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211108i4857678EDB6EDD5B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams1.png%22%20alt%3D%22Teams1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211110i89990A143700A4A4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams2.png%22%20alt%3D%22Teams2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211107i836002A4B4D48FF8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams3.png%22%20alt%3D%22Teams3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams4.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211109i9122E097D297E45D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams4.png%22%20alt%3D%22Teams4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-1359099450%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%20id%3D%22toc-hId--1721667442%22%3E%3CSPAN%20class%3D%22EOP%20SCXW225719438%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW91724582%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW91724582%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3EDeploy%20a%20Logic%20App%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW91724582%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW225719438%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW91724582%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELast%20step%20is%20to%20collect%26nbsp%3Bthe%20CallRecords%20activity%20data%20and%20ingest%26nbsp%3Bit%26nbsp%3Binto%20Azure%20Sentinel%20via%20a%20Logic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENavigate%26nbsp%3Bto%26nbsp%3BAzure%20Sentinel%20workspace%2C%20click%20at%20Playbooks%20blade%20and%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfollow%26nbsp%3Bthe%20steps%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20class%3D%22lia-list-style-type-lower-alpha%22%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%20Playbook'%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ESelect%20'Resource%20Group'%2C%20type%20a%20name%20to%20your%20logic%20app%20for%20example%20'TeamsCalls-SecurityGraphAPI'%20and%20toggle%20on%20'Log%20Analytics'%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EClick%20'Review%20%2B%20Create'%20then%20'Create'%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EOpen%20your%20new%20logic%20app%20'TeamsCalls-SecurityGraphAPI'%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EUnder%20'Logic%20app%20designer'%2C%20add%20the%20following%20steps%3A%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAdd%20'Recurrence'%20step%20and%20set%20the%20value%20to%2010%20minute%20for%20example%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAdd%20'HTTP'%20step%20to%20create%20CallRecords%20subscriptions%2C%20creating%20a%20subscriptions%20will%26nbsp%3B%3CSPAN%3Esubscribe%20a%20listener%20application%20to%20receive%20change%20notifications%20when%20the%20requested%20type%20of%20changes%20occur%20to%20the%20specified%20resource%20in%20Microsoft%20Graph%2C%20for%20more%20details%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fsubscription-post-subscriptions%3Fview%3Dgraph-rest-1.0%26amp%3Btabs%3Dhttp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20Subscriptions%20via%20Microsoft%20Graph%20API%3C%2FA%3E%3C%2FSPAN%3E%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%3EMethod%3A%20POST%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%3EURI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsubscriptions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsubscriptions%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%3EBody%2C%20note%20that%20you%20can%20edit%20'changeType'%20value%20with%20'created%2Cupdated'%20for%20example%2C%20'notificationUrl'%20is%20the%20subscription%20notification%20endpoint%20for%20more%20details%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fwebhooks%23notification-endpoint-validation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EnotificationUrl%3C%2FA%3E%3C%2FSPAN%3E%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%7B%0A%20%20%22changeType%22%3A%20%22created%22%2C%0A%20%20%22clientState%22%3A%20%22secretClientValue%22%2C%0A%20%20%22expirationDateTime%22%3A%20%222022-11-20T18%3A23%3A45.9356913Z%22%2C%0A%20%20%22latestSupportedTlsVersion%22%3A%20%22v1_2%22%2C%0A%20%20%22notificationUrl%22%3A%20%22https%3A%2F%2Foutlook.office.com%2Fwebhook%2F3ec886e9-86ef-4c86-bfff-2d0321f3313e%402006d214-5f91-4166-8d92-95f5e3ad9ec6%2FIncomingWebhook%2F9c6e121ed--x-x-x-x99939f71721fcbcc7%2F03c99422-50b0-x-x-x-ea-a00e-2b0b-x-x-x-12d5%22%2C%0A%20%20%22resource%22%3A%20%22%2Fcommunications%2FcallRecords%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAuthentication%20Type%3A%20Active%20Directory%20OAuth%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ETenant%3A%20with%20Tenant%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAudience%3A%26nbsp%3B-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EClient%20ID%3A%20with%20Client%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ECredential%20Type%3A%20Secret%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ESecret%3A%20with%20Secret%20value%20copied%20above%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAdd%20'HTTP'%20step%20to%20list%20all%20subscriptions%3A%0A%3COL%3E%0A%3CLI%3EMethod%3A%20GET%3C%2FLI%3E%0A%3CLI%3EURI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsubscriptions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsubscriptions%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAuthentication%20Type%3A%20Active%20Directory%20OAuth%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ETenant%3A%20with%20Tenant%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAudience%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EClient%20ID%3A%20with%20Client%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ECredential%20Type%3A%20Secret%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ESecret%3A%20with%20Secret%20value%20copied%20above%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20get%20all%20sessions%20details%20per%20specific%20call%20record%20session%20ID%20follow%20the%20below%20steps%2C%20noting%20that%20the%20below%20example%20is%20for%20a%20single%20CallRecord%20Session%20ID%20for%20the%20sake%20of%20demonstration%20and%20hence%20we%20added%20a%20variable%20item%2C%20you%20can%20simply%20add%20a%20loop%20step%20to%20get%20all%20sessions%20IDs%20from%20the%20created%20CallRecords%20subscription%20step%3A%0A%3COL%3E%0A%3CLI%3EMethod%3A%20GET%3C%2FLI%3E%0A%3CLI%3EURI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fcommunications%2FcallRecords%2F%40%7Bvariables('TEAMSCallRecordsID')%7D%2Fsessions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fcommunications%2FcallRecords%2F%40%7Bvariables('TEAMSCallRecordsID')%7D%2Fsessions%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAuthentication%20Type%3A%20Active%20Directory%20OAuth%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ETenant%3A%20with%20Tenant%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EAudience%3A%26nbsp%3B-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3EClient%20ID%3A%20with%20Client%20ID%20copied%20above%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ECredential%20Type%3A%20Secret%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3ESecret%3A%20with%20Secret%20value%20copied%20above%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAdd%20'Send%20TEAMS%20CallRecords%20Data%20to%20Azure%20Sentinel%20LA-Workspace'%20step%2C%20after%20doing%20the%20connection%20successfully%20via%20your%20Azure%20Sentinel%20Workspace%20ID%20%26amp%3B%20Primary%20key%3A%0A%3COL%3E%0A%3CLI%3EJSON%20Request%20Body%3A%20Body%3C%2FLI%3E%0A%3CLI%3ECustom%20Log%20Name%3A%26nbsp%3BTEAMSGraphCallRecords%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Play1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211113iC9C56F305D5639FD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Play1.PNG%22%20alt%3D%22Play1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22play2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211115i49C053B04D4EFC42%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22play2.png%22%20alt%3D%22play2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Play3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211114i64744501AEAC1A56%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Play3.png%22%20alt%3D%22Play3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20complete%20Playbook%20code%20view%20have%20been%20uploaded%20to%20github%20repo%20as%20well%2C%20please%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fhesaad%2FAzureSentinelHub%2Ftree%2Fmaster%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eclick%20here%3C%2FA%3E%20for%20more%20details%20and%20check%20out%20the%20readme%20section.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1338093242%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%20id%3D%22toc-hId-64780813%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW210468653%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3EMoni%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Eoring%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3ETEAMS%20CallRecords%20Activity%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW210468653%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3EWhen%20the%20Playbook%20run%20successfully%2C%20it%20will%20create%20a%20new%20custom%20log%20table%20'TEAMSGraphCallRecords_CL'%20that%20will%20have%20the%20CallRecords%20activity%20logs%2C%20you%20might%20wait%20for%20a%20few%20minutes%20till%20the%20new%20CL%20table%20been%20created%20and%20the%20CallRecords%20activity%20logs%20been%20ingested.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENavigate%26nbsp%3Bto%26nbsp%3BAzure%20Sentinel%20workspace%2C%20click%20at%20Logs%20blade%20and%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfollow%26nbsp%3Bthe%20steps%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20class%3D%22lia-list-style-type-lower-alpha%22%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3ETables%20%26gt%3B%20Group%20by%3A%20Solution%20%26gt%3B%20Custom%20Logs%3A%20TEAMSGraphCallRecords_CL%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3EBelow%20are%20the%20list%20of%20main%20attributes%20that%20have%20been%20ingested%3A%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3ETimeGenerated%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3EType_s%3A%20groupCall%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3Emodalities_s%3A%20Audio%2C%20Video%2C%20ScreenSharing%2C%20VideoBasedScreenSharing%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3ELastModifiedDateTime%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3EStartDateTime%2C%20endDateTime%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3EjoinWebUrl_s%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3Eorganizer_user_displayname_s%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3Eparticipants_s%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3Esessions_odata_context_s%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EAs%20you%20can%20see%20from%20the%20results%20below%20we%20get%20the%20complete%20TEAMS%20CallRecords%20activity%20logs.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tab1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211121i8BE6F1DB923DB3CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Tab1.PNG%22%20alt%3D%22Tab1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2028654716%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%20id%3D%22toc-hId-755342287%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW179886332%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3EParsing%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ehe%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3ED%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ea%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ea%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW75051586%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EBefore%20building%20any%20detections%20or%20hunting%20queries%20on%20the%20ingested%26nbsp%3B%3CI%3ETEAMS%20CallRecords%20Activity%26nbsp%3B%3C%2FI%3Edata%20we%20can%20parse%20and%20normalize%20the%20data%20via%20a%26nbsp%3BKQL%26nbsp%3BFunction%20to%20make%20it%20easier%20to%20use%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tab2.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211122i056141AC46316201%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22tab2.PNG%22%20alt%3D%22tab2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EThe%20parsing%20function%20have%20been%20uploaded%20as%20well%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fhesaad%2FAzureSentinelHub%2Ftree%2Fmaster%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egithub%20repo%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EPart%20(2)%3A%20we%20will%20share%20a%20couple%20of%20hunting%20queries%20and%20upload%20them%20to%20github%2C%20it's%20worth%20to%20explore%20Microsoft%20Graph%20API%20as%20there%20are%20other%20TEAMS%20related%20APIs%20logs%20that%20can%20be%20ingested%20based%20on%20the%20requirements%20and%20use%20cases%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ETeamsActivity%3A%26nbsp%3B%3C%2FSPAN%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ERead%20all%20users'%20teamwork%20activity%20feed%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ETeamsAppInstallation%3A%3C%2FSPAN%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ERead%20installed%20Teams%20apps%20for%20all%20chats%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ERead%20installed%20Teams%20apps%20for%20all%20teams%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ERead%20installed%20Teams%20apps%20for%20all%20users%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ETeamsApp%3C%2FSPAN%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ERead%20all%20users'%20installed%20Teams%20apps%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E...etc%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22teamsfinalgraph.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211123iA697A6D027CA0B8E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22teamsfinalgraph.PNG%22%20alt%3D%22teamsfinalgraph.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EW%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%20will%20be%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcontinuing%20to%20develop%20detections%20and%20hunting%20queries%20for%20Microsoft%20365%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esolutions%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eo%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ever%20time%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bso%20make%20sure%20you%20keep%20an%20eye%20on%20GitHub%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20always%20if%20you%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehave%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byour%20own%20ideas%20for%20queries%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%20detections%20please%20feel%20free%20to%20contribute%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%5B%23%24dp182%5D%3CSPAN%20data-contrast%3D%22none%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fwiki%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Sentinel%20community.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1574600%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EOrganizations%20operating%20remotely%20want%20to%20be%20productive%20but%20not%20to%20compromise%20with%20security%20%26amp%3B%20compliance%2C%20Azure%20Sentinel%20provides%20a%20way%20via%20connectors%20-%20data%20ingestion%20%22API%22%20to%20ingest%20Microsoft%20TEAMS%20management%26nbsp%3B-%20administration%20logs%20but%20what%20about%20%22Activity%22%20logs%20in%20case%20of%20%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EAn%20employee%20shared%20a%20meeting%20invite%20with%20a%20guest%20%2F%20internal%20-%20external%20user%20%3F%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUsage%20and%20diagnostic%20information%20about%20the%20calls%20and%20online%20meetings%20that%20occur%20within%20your%20organization%20%3F%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EReporting%20at%20depth%20on%20usage%20activities%20(number%20of%20calls%2C%20who%20called%20who%2C%20what%20modalities%20were%20used%2C%20On-performance%20(packet%20loss%2C%20jitter%20latency)%20%E2%80%A6etc%20%3F%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3Eand%20much%20more%20other%20%22activity%22%20use%20cases.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Secure%20your%20Calls%20is%20a%20connector%20to%20monitor%20Microsoft%20TEAMS%20CallRecords%20activities%20logs%20via%20Azure%20Sentinel%20and%20Microsoft%20Graph%20API.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1574600%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578322%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578322%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20about%20individual%20meeting%20records%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20arent%20even%20exposed%20in%20a%20GUI%20report.%26nbsp%3B%20Big%20limitation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1604236%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604236%22%20slang%3D%22en-US%22%3E%3CP%3EReliability%20and%20scalability%20concerns%20aside%20(running%20a%20blanket%20query%20every%2010%20minutes)%20I%20am%20not%20liking%20this%20trend.%20Exchange%20mail%20flow%20and%20Teams%20call%20records%20should%20have%20first%20party%20integration.%20Customers%20do%20not%20want%20to%20pay%20for%20sentinel%20only%20to%20have%20to%20use%20additional%20Azure%20services%20(which%20also%20cost%20btw)%20to%20complete%20the%20product.%20This%20is%20causing%20organizations%20to%20look%20elsewhere%20for%20solutions%E2%80%A6%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605219%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605219%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31572%22%20target%3D%22_blank%22%3E%40Mike%20Crowley%3C%2FA%3E%26nbsp%3B%2C%20we%20will%20share%20the%20feedback%20with%20Product%20group%20team%20on%20a%20ready%20%2F%20customized%20connectors%2C%20please%20keep%20them%20coming%2C%20quick%20point%20to%20mention%20that%20you%20can%20get%20all%20activities%20and%20logs%20details%20for%20Exchange%20and%20Teams%20via%20Office%20365%20Security%20%26amp%3B%20Compliance%20dashboard%20(%3CA%20href%3D%22http%3A%2F%2Fprotection.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fprotection.office.com%3C%2FA%3E)%20%26amp%3B%20TEAMS%20admin%20dashboard%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fadmin.teams.microsoft.com%2Fdashboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fadmin.teams.microsoft.com%2Fdashboard%3C%2FA%3E%20without%20any%20ingestion%20flow%20-%20cost%20if%20the%20solutions%20licenses%20are%20already%20in%20place%2C%20the%20blog%20post%20here%20is%20a%20way%20for%20SOC%20people%20to%20export%20to%20their%20SIEM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605220%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605220%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%26nbsp%3B%2C%20you%20can%20get%20all%20Call%20records%20%2F%20sessions%20exposed%20attributes%20via%20Graph%20API%20here%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-callrecord%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fcallrecords-callrecord%3Fview%3Dgraph-rest-1.0%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605733%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605733%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20yes%20I'm%20talking%20about%201st%20party%20connectors%2C%20thanks.%20In%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Foffice-365-exchange-monitor-in-out-mails-senders%2Fm-p%2F1031544%22%20target%3D%22_self%22%3Ethis%20thread%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%20states%20that%20message%20tracking%20is%20on%20the%20roadmap%2C%20but%20his%20comment%20was%20from%20last%20year.%20The%20same%20request%2Fconcerns%20would%20apply%20to%20Teams%20and%20other%20Microsoft%20products.%20Customers%20should%20not%20have%20to%20engineer%20or%20pay%20for%20connectivity%20between%20Microsoft's%20own%20services%2C%20especially%20for%20basic%20use%20cases%20like%20these.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1620191%22%20slang%3D%22es-ES%22%3ERe%3A%20Secure%20your%20Calls-%20Monitoring%20Microsoft%20TEAMS%20CallRecords%20Activity%20Logs%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1620191%22%20slang%3D%22es-ES%22%3E%3CP%3EGood%20afternoon%2C%20I%20am%20extracting%20the%20call%20or%20meeting%20logs%20with%20the%20subscription%20notifications%20from%20%2Fcommunications%2FcallRecords%2C%20when%20a%20meeting%20is%20recorded%20it%20is%20uploaded%20to%20MStream%2C%20the%20url%20of%20the%20recording%20can%20be%20obtained%20by%20this%20subscription%3F%20Or%20should%20I%20make%20other%20requests%20to%20Stream%3F%20I%20want%20to%20also%20have%20the%20URL%20of%20the%20saved%20call%20available.%20%3CBR%20%2F%3E%20Another%20question%20is%20the%20subscription%2C%20does%20it%20have%20to%20be%20updated%20or%20can%20it%20be%20made%20permanent%3F%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

This blog is authored and technically implemented by @Hesham Saad with hearty thanks to our collaborator and use-cases executive mind brain @yazanouf 

 

Before we dig deep on monitoring TEAMS CallRecords Activity Logs, please have a look at "Protecting your Teams with Azure Sentinel" blog post by @Pete Bryan on how to ingest TEAMS management logs into Azure Sentinel via the O365 Management Activity API

 

Collecting TEAMS CallRecords Activity Data 

This section we will go into details on how to ingest TEAMS CallRecords activity logs into Azure Sentinel via the Microsoft Graph API and mainly leveraging CallRecords API which is a Graph webhook API that will give access to the Calls activity logs. SOC team can subscribe to changes to CallRecords via Azure Sentinel and using the Microsoft Graph webhook subscriptions capability, allowing them to build near-real-time reports from the data or to alert on specific scenarios , use cases which mentioned above.

 

Technically you can use the call records APIs to subscribe to call records and look up call records by IDs, the call records API is defined in the OData sub-namespace, microsoft.graph.callRecords.

 

So, what are the key resources types returned by the API ?

Resource Methods Description
CallRecord Get callRecord Represents a single peer-to-peer call or a group call between multiple participants
session Get callRecord
List sessions
A peer-to-peer call contains a single session between the two participants in the call. Group calls contain one or more session entities. In a group call, each session is between the participant and a service endpoint.
segment Get callRecord
List sessions
A segment represents a media link between two endpoints.

 

The callRecord entity represents a single peer-to-peer call or a group call between multiple participants, sometimes referred to as an online meeting.  A peer-to-peer call contains a single session between the two participants in the call. Group calls contain one or more session entities. In a group call, each session is between the participant and a service endpoint. Each session contains one or more segment entities. A segment represents a media link between two endpoints. For most calls, only one segment will be present for each session, however sometimes there may be one or more intermediate endpoints. For more details click here

 

Below is the main architecture diagram including the components to deploy Teams CallRecords Activity Logs Connector:

TEAMSGraphDiagramArchitecture.PNG

Deployment steps:

Register an App 

Create and register Azure AD APP to handle the authentication and authorization to collect data from the Graph API. Here are the steps - navigate to the Azure Active Directory blade of your Azure portal and follow the steps below: 

  1. Click on App Registrations 
  2. Select ‘New Registration 
  3. Give it a name and click Register. 
  4. Click API Permissions blade. 
  5. Click Add a Permission. 
  6. Click Microsoft Graph. 
  7. Click Application Permissions’. 
  8. Search for 'CallRecords', Check CallRecords.Read.All. Also, Search for 'Directory' and Check Directory.ReadWrite.All and 'Click Add permissions. 
  9. Click grant admin consent’. 
  10. Click Certificates and Secrets’. 
  11. Click New Client Secret 
  12. Enter a description, select never. Click Add. 
  13. NoteClick copy next to the new secret and store it somewhere temporarily. You cannot come back to get the secret once you leave the blade.  
  14. Copy the client Id from the application properties and store it. 
  15. Copy the tenant Id from the main Azure Active Directory blade and store it. 

Teams1.png

 

Teams2.png

 

Teams3.png

 

Teams4.png

Deploy a Logic App 

Last step is to collect the CallRecords activity data and ingest it into Azure Sentinel via a Logic App.

Navigate to Azure Sentinel workspace, click at Playbooks blade and follow the steps below: 

  1. Click on Add Playbook' 
  2. Select 'Resource Group', type a name to your logic app for example 'TeamsCalls-SecurityGraphAPI' and toggle on 'Log Analytics'
  3. Click 'Review + Create' then 'Create'
  4. Open your new logic app 'TeamsCalls-SecurityGraphAPI'
  5. Under 'Logic app designer', add the following steps:
    1. Add 'Recurrence' step and set the value to 10 minute for example
    2. Add 'HTTP' step to create CallRecords subscriptions, creating a subscriptions will subscribe a listener application to receive change notifications when the requested type of changes occur to the specified resource in Microsoft Graph, for more details on Create Subscriptions via Microsoft Graph API
      1. Method: POST
      2. URI: https://graph.microsoft.com/beta/subscriptions
      3. Body, note that you can edit 'changeType' value with 'created,updated' for example, 'notificationUrl' is the subscription notification endpoint for more details on notificationUrl
        1. {
            "changeType": "created",
            "clientState": "secretClientValue",
            "expirationDateTime": "2022-11-20T18:23:45.9356913Z",
            "latestSupportedTlsVersion": "v1_2",
            "notificationUrl": "https://outlook.office.com/webhook/3ec886e9-86ef-4c86-bfff-2d0321f3313e@2006d214-5f91-4166-8d92-95f5e3ad9ec6/IncomingWebhook/9c6e121ed--x-x-x-x99939f71721fcbcc7/03c99422-50b0-x-x-x-ea-a00e-2b0b-x-x-x-12d5",
            "resource": "/communications/callRecords"
          }
      4. Authentication Type: Active Directory OAuth
      5. Tenant: with Tenant ID copied above
      6. Audience: https://graph.microsoft.com
      7. Client ID: with Client ID copied above
      8. Credential Type: Secret
      9. Secret: with Secret value copied above
    3. Add 'HTTP' step to list all subscriptions:
      1. Method: GET
      2. URI: https://graph.microsoft.com/v1.0/subscriptions
      3. Authentication Type: Active Directory OAuth
      4. Tenant: with Tenant ID copied above
      5. Audience: https://graph.microsoft.com
      6. Client ID: with Client ID copied above
      7. Credential Type: Secret
      8. Secret: with Secret value copied above
    4. If you want to get all sessions details per specific call record session ID follow the below steps, noting that the below example is for a single CallRecord Session ID for the sake of demonstration and hence we added a variable item, you can simply add a loop step to get all sessions IDs from the created CallRecords subscription step:
      1. Method: GET
      2. URI: https://graph.microsoft.com/beta/communications/callRecords/@{variables('TEAMSCallRecordsID')}/sessi...
      3. Authentication Type: Active Directory OAuth
      4. Tenant: with Tenant ID copied above
      5. Audience: https://graph.microsoft.com
      6. Client ID: with Client ID copied above
      7. Credential Type: Secret
      8. Secret: with Secret value copied above
    5. Add 'Send TEAMS CallRecords Data to Azure Sentinel LA-Workspace' step, after doing the connection successfully via your Azure Sentinel Workspace ID & Primary key:
      1. JSON Request Body: Body
      2. Custom Log Name: TEAMSGraphCallRecords

Play1.PNG

 

play2.png

 

Play3.png

 

The complete Playbook code view have been uploaded to github repo as well, please click here for more details and check out the readme section.

 

Monitoring TEAMS CallRecords Activity

When the Playbook run successfully, it will create a new custom log table 'TEAMSGraphCallRecords_CL' that will have the CallRecords activity logs, you might wait for a few minutes till the new CL table been created and the CallRecords activity logs been ingested.

 

Navigate to Azure Sentinel workspace, click at Logs blade and follow the steps below: 

  1. Tables > Group by: Solution > Custom Logs: TEAMSGraphCallRecords_CL
  2. Below are the list of main attributes that have been ingested:
    1. TimeGenerated
    2. Type_s: groupCall
    3. modalities_s: Audio, Video, ScreenSharing, VideoBasedScreenSharing
    4. LastModifiedDateTime
    5. StartDateTime, endDateTime
    6. joinWebUrl_s
    7. organizer_user_displayname_s
    8. participants_s
    9. sessions_odata_context_s
  3. As you can see from the results below we get the complete TEAMS CallRecords activity logs.

Tab1.PNG

 

Parsing the Data 

Before building any detections or hunting queries on the ingested TEAMS CallRecords Activity data we can parse and normalize the data via a KQL Function to make it easier to use:

 

tab2.PNG

 

The parsing function have been uploaded as well to the github repo.

 

Part (2): we will share a couple of hunting queries and upload them to github, it's worth to explore Microsoft Graph API as there are other TEAMS related APIs logs that can be ingested based on the requirements and use cases:

  • TeamsActivity: 
    • Read all users' teamwork activity feed
  • TeamsAppInstallation:
    • Read installed Teams apps for all chats
    • Read installed Teams apps for all teams
    • Read installed Teams apps for all users
  • TeamsApp
    • Read all users' installed Teams apps

...etc

 

teamsfinalgraph.PNG

 

 

We will be continuing to develop detections and hunting queries for Microsoft 365 solutions data over time so make sure you keep an eye on GitHub As always if you have your own ideas for queries or detections please feel free to contribute to the Azure Sentinel community. 

6 Comments
Contributor

What about individual meeting records?

 

These arent even exposed in a GUI report.  Big limitation. 

Occasional Contributor

Reliability and scalability concerns aside (running a blanket query every 10 minutes) I am not liking this trend. Exchange mail flow and Teams call records should have first party integration. Customers do not want to pay for sentinel only to have to use additional Azure services (which also cost btw) to complete the product. This is causing organizations to look elsewhere for solutions…

Microsoft

Thanks @Mike Crowley , we will share the feedback with Product group team on a ready / customized connectors, please keep them coming, quick point to mention that you can get all activities and logs details for Exchange and Teams via Office 365 Security & Compliance dashboard (http://protection.office.com) & TEAMS admin dashboard https://admin.teams.microsoft.com/dashboard without any ingestion flow - cost if the solutions licenses are already in place, the blog post here is a way for SOC people to export to their SIEM.

Microsoft

Thanks @Phillip Lyle , you can get all Call records / sessions exposed attributes via Graph API here : https://docs.microsoft.com/en-us/graph/api/resources/callrecords-callrecord?view=graph-rest-1.0

New Contributor

Thanks, yes I'm talking about 1st party connectors, thanks. In this thread, @Ofer_Shezaf states that message tracking is on the roadmap, but his comment was from last year. The same request/concerns would apply to Teams and other Microsoft products. Customers should not have to engineer or pay for connectivity between Microsoft's own services, especially for basic use cases like these.

Senior Member

Good afternoon, I am extracting the call or meeting logs with the subscription notifications from /communications/callRecords, when a meeting is recorded it is uploaded to MStream, the url of the recording can be obtained by this subscription? Or should I make other requests to Stream? I want to also have the URL of the saved call available.
Another question is the subscription, does it have to be updated or can it be made permanent?

Thank you very much in advance!