%3CLINGO-SUB%20id%3D%22lingo-sub-1642817%22%20slang%3D%22en-US%22%3EMicrosoft%20Teams%20logs%20in%20Azure%20Sentinel%20(public%20preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1642817%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20is%20in%20everything%20and%20with%20Azure%20Sentinel%2C%20you%20can%20consolidate%20different%20sources%20of%20security%20signals%20into%20a%20single%20%22glass%20of%20pain.%22%20Azure%20Sentinel%20is%20pleased%20to%20announce%20the%20Microsoft%20Teams%20connector%20is%20now%20in%20Public%20Preview%2C%20so%20lets%20take%20a%20look.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhether%20you%20have%20on-premises%20servers%20and%20also%20use%20software-as-a-service%20platforms%20(like%20Microsoft%20365)%2C%20or%20you're%20a%20fully%20cloud%20workplace%2C%20or%20you're%20somewhere%20in%20between%2C%20there%20are%20so%20many%20different%20things%20to%20monitor%20which%20could%20be%20a%20sign%20of%20a%20security%20breach.%20Many%20people%20start%20out%20with%20Azure%20Sentinel%20(Microsoft's%20cloud-based%20Security%20Information%20and%20Events%20Management%20system)%20to%20monitor%20virtual%20machines%2C%20on-premises%20infrastructure%20or%20their%20own%20custom%20built%20applications.%20But%20the%20product%20is%20worth%20taking%20a%20look%20at%20by%20Microsoft%20365%20administrators%2C%20for%20the%20Office%20365%20connector%20which%20now%20supports%20logs%20from%20Microsoft%20Teams%20(in%20public%20preview).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20events%20can%20I%20see%20from%20Microsoft%20Teams%2C%20in%20Azure%20Sentinel%3F%3C%2FSTRONG%3E%3CBR%20%2F%3EAzure%20Sentinel%20connects%20to%20the%20Microsoft%20365%20audit%20log.%20There%20are%20currently%2027%20different%20user%20and%20admin%20activities%20that%20are%20logged%20for%20Microsoft%20Teams%2C%20including%3A%3CBR%20%2F%3E-%20Added%2Fremoved%20bot%20to%20a%20team%3CBR%20%2F%3E-%20Added%2Fdeleted%20channel%3CBR%20%2F%3E-%20Added%2Fremoved%20connector%3CBR%20%2F%3E-%20Changed%20channel%2Forganization%2Fteam%20setting%3CBR%20%2F%3E-%20Added%2Fremoved%20members%3CBR%20%2F%3E-%20Installed%2Funinstalled%20app%3CBR%20%2F%3E-%20User%20signed%20in%20to%20Teams%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20details%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Faudit-log-events%23teams-activities%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETeams%20activities.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3EThere%20are%20also%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Faudit-log-events%23shifts-in-teams-activities%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eadditional%20activities%20logged%20if%20you%20use%20the%20Shifts%20app%20in%20Teams%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsearch-the-audit-log-in-security-and-compliance%3FredirectSourcePath%3D%25252fen-US%25252farticle%25252fSearch-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c%26amp%3Bview%3Do365-worldwide%23microsoft-teams-shifts-activities%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Teams%20Healthcare%20activities%20in%20the%20Patients%20application.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20are%20the%20pre-requisites%3F%3C%2FSTRONG%3E%3CBR%20%2F%3EFirst%2C%20remember%20that%20as%20a%20public%20preview%20feature%2C%20this%20is%20provided%20without%20a%20service%20level%20agreement.%20Don't%20build%20a%20mission-critical%20security%20strategy%20for%20your%20production%20workloads%20that%20are%20reliant%20on%20this%20capability%2C%20but%20if%20you%20do%20try%20it%20out%2C%20we%20welcome%20your%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20that%20said%2C%20you%20need%3A%3CBR%20%2F%3E-%20To%20have%20read%20and%20write%20permissions%20on%20your%20Azure%20Sentinel%20workspace%20(or%20create%20a%20new%20one%20with%20these%20permissions)%3CBR%20%2F%3E-%20To%20be%20a%20global%20administrator%20or%20security%20administrator%20on%20your%20tenant%3CBR%20%2F%3E-%20And%20your%20Office%20365%20deployment%20must%20be%20on%20the%20same%20tenant%20as%20your%20Azure%20Sentinel%20workspace%3CBR%20%2F%3E-%20Plus%2C%20unified%20audit%20logging%20must%20be%20enabled%20on%20your%20Microsoft%20365%20deployment.%20To%20check%20or%20enable%20that%2C%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fturn-audit-log-search-on-or-off%3Fview%3Do365-worldwide%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETurn%20audit%20log%20search%20on%20or%20off.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20connect%20Microsoft%20Teams%20to%20Azure%20Sentinel%3F%3C%2FSTRONG%3E%3CBR%20%2F%3ESarah%20Young%20(Senior%20Program%20Manager%2C%20Azure%20Security)%20has%20a%20blog%20on%20how%20to%20add%20the%20Office%20365%20data%20connector%20to%20Sentinel%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-teams-connector-in-public-preview%2Fba-p%2F1640003%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%3EWhat's%20new%3A%20Microsoft%20Teams%20connector%20in%20Public%20Preview%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20essence%2C%20you%20create%20a%20log%20analytics%20workspace%20and%20add%20it%20to%20Azure%20Sentinel%20(or%20create%20a%20new%20log%20analytics%20workspace)%2C%20then%20you'll%20find%20Office%20365%20under%20the%20list%20of%20Data%20connectors%20you%20can%20add.%20This%20data%20connector%20also%20allows%20you%20to%20connect%20activity%20logs%20for%20Exchange%20and%20SharePoint%2C%20but%20you%20can%20toggle%20those%20off%20independently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams%20Sentinel%20O365%20connector.png%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216932i0D96C74B67C37D83%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams%20Sentinel%20O365%20connector.png%22%20alt%3D%22Teams%20Sentinel%20O365%20connector.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOnce%20my%20logs%20are%20connected%2C%20then%20what%20can%20I%20do%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESearching%20logs%20is%20one%20thing%2C%20and%20that's%20useful%20if%20you%20want%20to%20investigate%20a%20scenario%20(like%20a%20Teams%20channel%20disappeared%20-%20who%20deleted%20it%3F).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TeamsRecords-Sentinel.png%22%20style%3D%22width%3A%20846px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216933i3F5E9A21E26FC5B6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TeamsRecords-Sentinel.png%22%20alt%3D%22TeamsRecords-Sentinel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams-ChannelDeleted-LA.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216934i64148E40E684B1CB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams-ChannelDeleted-LA.png%22%20alt%3D%22Teams-ChannelDeleted-LA.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20now%20you%20can%20also%20add%20Microsoft%20teams%20activities%20into%20Azure%20Sentinel%20workbooks%2C%20to%20build%20your%20own%20simple%20data%20presentation%20or%20complex%20graphing%20%26amp%3B%20investigative%20maps.%20Check%20out%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-workbooks-101-with-sample-workbook%2Fba-p%2F1409216%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%3EMatt%20Lowe's%20article%20on%20Azure%20Sentinel%20Workbooks%20101%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20leverage%20the%20power%20of%20Azure%20Sentinel's%20powerful%20hunting%20search%20and%20query%20tools%2C%20and%20bookmark%20findings%20that%20look%20unusual%20or%20suspicious.%20Learn%20more%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fhunting%3FWT.mc_id%3Dmodinfra-8876-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHunt%20for%20threats%20with%20Azure%20Sentinel.%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EContribute%20your%20feedback%3C%2FSTRONG%3E%3CBR%20%2F%3EThe%20Azure%20Sentinel%20product%20group%20has%20a%20community%20page%20on%20Github%2C%20which%20also%20has%20great%20links%20on%20resources%20to%20get%20you%20started%20with%20the%20different%20features%20of%20Azure%20Sentinel.%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fwiki%23resources%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EVisit%20the%20resources%20section%3C%2FA%3E%20to%20learn%20how%20you%20can%20contribute%20your%20feedback%20about%20the%20Microsoft%20Teams%20component%20of%20the%20Office%20365%20data%20connector%2C%20and%20Azure%20Sentinel%20in%20general.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhether%20you're%20a%20security%20professional%20looking%20to%20expand%20the%20scope%20of%20what%20you%20are%20monitoring%20across%20your%20organization%2C%20or%20you%20are%20a%20Microsoft%20365%20administrator%20with%20no%20Azure%20Sentinel%20experience%2C%20this%20new%20capability%20further%20ties%20Microsoft's%20products%20together%20to%20help%20make%20your%20job%20easier.%20Will%20you%20try%20this%20out%3F%20Let%20us%20know%20in%20the%20comments!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-SCuffy%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1642817%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TeamsRecords-Sentinel.png%22%20style%3D%22width%3A%20846px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216931i0E6B21694B4BE62E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TeamsRecords-Sentinel.png%22%20alt%3D%22TeamsRecords-Sentinel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EAzure%20Sentinel%20now%20has%20a%20Microsoft%20Teams%20connector%20in%20Public%20Preview%2C%20so%20lets%20take%20a%20look.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1642817%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESonia%20Cuff%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1660433%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Teams%20logs%20in%20Azure%20Sentinel%20(public%20preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1660433%22%20slang%3D%22en-US%22%3E%3CP%3ESonia%2C%20that's%20the%20best%20opening%20in%20a%20blog%20post%20I've%20seen%20in%20a%20LOOONG%20time%20-%20%22single%20glass%20of%20pain%22%20instead%20of%20pane%20of%20glass%20-%20that's%20so%20on%20point%20for%20a%20security%20product%20that%20can%20give%20you%20a%20lot%20of%20alerts%20to%20deal%20with.%20I%20love%20it%20when%20people%20turn%20phrases%20like%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1662381%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Teams%20logs%20in%20Azure%20Sentinel%20(public%20preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1662381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10453%22%20target%3D%22_blank%22%3E%40Paul%20Schnackenburg%3C%2FA%3E%26nbsp%3B%20Glad%20you%20liked%20it!%20It's%20my%20favourite%20phrase%20for%20dashboards%20in%20general.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Security is in everything and with Azure Sentinel, you can consolidate different sources of security signals into a single "glass of pain." Azure Sentinel is pleased to announce the Microsoft Teams connector is now in Public Preview, so lets take a look.

 

Whether you have on-premises servers and also use software-as-a-service platforms (like Microsoft 365), or you're a fully cloud workplace, or you're somewhere in between, there are so many different things to monitor which could be a sign of a security breach. Many people start out with Azure Sentinel (Microsoft's cloud-based Security Information and Events Management system) to monitor virtual machines, on-premises infrastructure or their own custom built applications. But the product is worth taking a look at by Microsoft 365 administrators, for the Office 365 connector which now supports logs from Microsoft Teams (in public preview).

 

What events can I see from Microsoft Teams, in Azure Sentinel?
Azure Sentinel connects to the Microsoft 365 audit log. There are currently 27 different user and admin activities that are logged for Microsoft Teams, including:
- Added/removed bot to a team
- Added/deleted channel
- Added/removed connector
- Changed channel/organization/team setting
- Added/removed members
- Installed/uninstalled app
- User signed in to Teams

 

For details, see Teams activities.

 

There are also additional activities logged if you use the Shifts app in Teams and Microsoft Teams Healthcare activities in the Patients application.

 

What are the pre-requisites?
First, remember that as a public preview feature, this is provided without a service level agreement. Don't build a mission-critical security strategy for your production workloads that are reliant on this capability, but if you do try it out, we welcome your feedback.

 

With that said, you need:
- To have read and write permissions on your Azure Sentinel workspace (or create a new one with these permissions)
- To be a global administrator or security administrator on your tenant
- And your Office 365 deployment must be on the same tenant as your Azure Sentinel workspace
- Plus, unified audit logging must be enabled on your Microsoft 365 deployment. To check or enable that, visit Turn audit log search on or off.

 

How do I connect Microsoft Teams to Azure Sentinel?
Sarah Young (Senior Program Manager, Azure Security) has a blog on how to add the Office 365 data connector to Sentinel here: What's new: Microsoft Teams connector in Public Preview 

 

In essence, you create a log analytics workspace and add it to Azure Sentinel (or create a new log analytics workspace), then you'll find Office 365 under the list of Data connectors you can add. This data connector also allows you to connect activity logs for Exchange and SharePoint, but you can toggle those off independently.

 

Teams Sentinel O365 connector.png

 

Once my logs are connected, then what can I do?

Searching logs is one thing, and that's useful if you want to investigate a scenario (like a Teams channel disappeared - who deleted it?).

 

TeamsRecords-Sentinel.png

 

Teams-ChannelDeleted-LA.png

 

But now you can also add Microsoft teams activities into Azure Sentinel workbooks, to build your own simple data presentation or complex graphing & investigative maps. Check out Matt Lowe's article on Azure Sentinel Workbooks 101

 

You can also leverage the power of Azure Sentinel's powerful hunting search and query tools, and bookmark findings that look unusual or suspicious. Learn more at Hunt for threats with Azure Sentinel. 

 

Contribute your feedback
The Azure Sentinel product group has a community page on Github, which also has great links on resources to get you started with the different features of Azure Sentinel. Visit the resources section to learn how you can contribute your feedback about the Microsoft Teams component of the Office 365 data connector, and Azure Sentinel in general.

 

Whether you're a security professional looking to expand the scope of what you are monitoring across your organization, or you are a Microsoft 365 administrator with no Azure Sentinel experience, this new capability further ties Microsoft's products together to help make your job easier. Will you try this out? Let us know in the comments!

 

-SCuffy

 

4 Comments
Senior Member

Sonia, that's the best opening in a blog post I've seen in a LOOONG time - "single glass of pain" instead of pane of glass - that's so on point for a security product that can give you a lot of alerts to deal with. I love it when people turn phrases like this. 

Microsoft

@Paul Schnackenburg  Glad you liked it! It's my favourite phrase for dashboards in general.

Senior Member

I started a workbook here as well and just updated it for the Preview!

Azure-Sentinel/MicrosoftTeams.json at master · richlilly2004/Azure-Sentinel (github.com)

Microsoft

That's great @richlilly  thanks for sharing!!