Microsoft Teams logs in Azure Sentinel (public preview)
Published Sep 08 2020 03:00 AM 34.3K Views

Security is in everything and with Azure Sentinel, you can consolidate different sources of security signals into a single "glass of pain." Azure Sentinel is pleased to announce the Microsoft Teams connector is now in Public Preview, so lets take a look.


Whether you have on-premises servers and also use software-as-a-service platforms (like Microsoft 365), or you're a fully cloud workplace, or you're somewhere in between, there are so many different things to monitor which could be a sign of a security breach. Many people start out with Azure Sentinel (Microsoft's cloud-based Security Information and Events Management system) to monitor virtual machines, on-premises infrastructure or their own custom built applications. But the product is worth taking a look at by Microsoft 365 administrators, for the Office 365 connector which now supports logs from Microsoft Teams (in public preview).


What events can I see from Microsoft Teams, in Azure Sentinel?
Azure Sentinel connects to the Microsoft 365 audit log. There are currently 27 different user and admin activities that are logged for Microsoft Teams, including:
- Added/removed bot to a team
- Added/deleted channel
- Added/removed connector
- Changed channel/organization/team setting
- Added/removed members
- Installed/uninstalled app
- User signed in to Teams


For details, see Teams activities.


There are also additional activities logged if you use the Shifts app in Teams and Microsoft Teams Healthcare activities in the Patients application.


What are the pre-requisites?
First, remember that as a public preview feature, this is provided without a service level agreement. Don't build a mission-critical security strategy for your production workloads that are reliant on this capability, but if you do try it out, we welcome your feedback.


With that said, you need:
- To have read and write permissions on your Azure Sentinel workspace (or create a new one with these permissions)
- To be a global administrator or security administrator on your tenant
- And your Office 365 deployment must be on the same tenant as your Azure Sentinel workspace
- Plus, unified audit logging must be enabled on your Microsoft 365 deployment. To check or enable that, visit Turn audit log search on or off.


How do I connect Microsoft Teams to Azure Sentinel?
Sarah Young (Senior Program Manager, Azure Security) has a blog on how to add the Office 365 data connector to Sentinel here: What's new: Microsoft Teams connector in Public Preview 


In essence, you create a log analytics workspace and add it to Azure Sentinel (or create a new log analytics workspace), then you'll find Office 365 under the list of Data connectors you can add. This data connector also allows you to connect activity logs for Exchange and SharePoint, but you can toggle those off independently.


Teams Sentinel O365 connector.png


Once my logs are connected, then what can I do?

Searching logs is one thing, and that's useful if you want to investigate a scenario (like a Teams channel disappeared - who deleted it?).






But now you can also add Microsoft teams activities into Azure Sentinel workbooks, to build your own simple data presentation or complex graphing & investigative maps. Check out Matt Lowe's article on Azure Sentinel Workbooks 101


You can also leverage the power of Azure Sentinel's powerful hunting search and query tools, and bookmark findings that look unusual or suspicious. Learn more at Hunt for threats with Azure Sentinel. 


Contribute your feedback
The Azure Sentinel product group has a community page on Github, which also has great links on resources to get you started with the different features of Azure Sentinel. Visit the resources section to learn how you can contribute your feedback about the Microsoft Teams component of the Office 365 data connector, and Azure Sentinel in general.


Whether you're a security professional looking to expand the scope of what you are monitoring across your organization, or you are a Microsoft 365 administrator with no Azure Sentinel experience, this new capability further ties Microsoft's products together to help make your job easier. Will you try this out? Let us know in the comments!




Version history
Last update:
‎Sep 08 2020 09:12 AM
Updated by: