Protecting your Teams with Azure Sentinel

Published Mar 30 2020 02:22 PM 37.7K Views
Microsoft

Azure Sentinel now has an integrated connector - https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 This is the recommended route for collecting these logs and supersedes the collection methods described below.



Updated versions of the queries in the blog that work with data collected via the official connector have been shared via the Azure Sentinel GitHub.

Recent events have forced many organizations (including Microsoft) to move to a work from home model for their users. In order to ensure their users remain connected and productive they are turning to productivity tools such as Microsoft 
Teams. We have seen an unprecedented spike in Teams usage, and now have more than 44 million daily users, a figure that has grown by 12 million in just the last seven days. And those users have generated over 900 million meeting and calling minutes on Teams each day this week. My own team has significantly increased our usage of Teams over the last few weeks with more virtual meetings, corridor conversations becoming text chats, and virtual social times organized during lunch breaks.  

 

Moving to, or increasing usage of, Teams means that the service should be more of a focus for defenders than ever due to its critical role in communications and data sharing. There are multiple features to help you secure your Team’s usage, but in this blog we are going to focus on how we can collect Teams activity logs with Azure Sentinel, and how a SOC team can start hunting in that Teams data to protect thier organization and users. 

 

Collecting Teams Data 

This section explains how to ingest Teams logs into Azure Sentinel via the O365 Management Activity API. Due to the flexibility of Azure there are multiple paths to a solutions, of which this blog outlines 2.

 

The first option leverages an Azure Logic App is suitable when the requirements are to quickly ingest logs into Sentinel with a couple of clicks and is best suited to smaller, or test environments. The second option uses an Azure Function App which is more cost efficient at large volumes and includes a number of additional features such as extended logs storage. This should be considered the primary option for enterprise scale deployment.

 

Enabling Audit Logs 

Teams activity data is exposed in the Office 365 Audit log under the Audit.General subscription, and this source is used by both collection methods. By default, Audit logs are not collected for Office 365 tenants, however they contain valuable data on all sorts Office 365 activity, and I would strongly advise enabling Audit logging whether you are using Teams or not. Details on how to enable the Office 365 audit log can be found here.

 

Once audit logging is enabled you can proceed to deploy your chosen connection method.

Option 1:

This option leverages the below components and provides a quick and easy way to deploy connector.

 

Option 1 architecture diagramOption 1 architecture diagram

 

 

Deployment steps:

Register an App 

In order to handle the authentication and authorization to collect data from the API we are going to register an Azure AD app and authorize it to access the API. To do this navigate to the Azure Active Directory blade of your Azure portal and follow the steps below: 

  1. Click on App Registrations 
  2. Select ‘New Registration 
  3. Give it a name and click Register. 
  4. Click API Permissions blade. 
  5. Click Add a Permission. 
  6. Click Office 365 Management APIs. 
  7. Click Application Permissions’. 
  8. Check ActivityFeed.Read. Click Add permissions. 
  9. Click grant admin consent’. 
  10. Click Certificates and Secrets’. 
  11. Click New Client Secret 
  12. Enter a description, select never. Click Add. 
  13. IMPORTANT  Click copy next to the new secret and store it somewhere temporarily. You cannot come back to get the secret once you leave the blade.  
  14. Copy the client Id from the application properties and store it somewhere. 
  15. Copy the tenant Id from the main Azure Active Directory blade and store it. 

Video showing App Registration processVideo showing App Registration process

 

If you get stuck with any of the above steps there are more details available on how to register your app available here.

 

Registering the API subscription 

To collect this audit data via the Office 365 Management Activity API we need to register it as a subscription. This can be done via PowerShell. The first step will be to completthe commands below with data from your subscription and the Azure AD app we just registered in the previous step. 

 

 

 

 

 

 

 

 

# Populate with App ID and Secret from your Azure AD app registration 
$ClientID = "<app_id>"  
$ClientSecret = "<client_secret>"  
$loginURL = "https://login.microsoftonline.com/"  
$tenantdomain = "<domain>.onmicrosoft.com"  
# Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section 
$TenantGUID = "<Tenant GUID>"  
$resource = "https://manage.office.com"  
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret} 
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body  
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}   
$publisher = New-Guid
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher"  

 

 

 

 

 

 

 

 

 

If you are having copy and paste issues with these commands you can find them on GitHub as well.

 

Once this is done you can run the commands in PowerShell. If you get an error message stating the Tenant doesn’t exist this means your provisioning of audit logging has not yet been completed. This can take several hours so take a break, do something relaxing, and check back later. If you continue to have issues additional troubleshooting guidance can be found here.

 

 Deploy a Logic App 

The final piece to collect the data and ingest it into our Azure Sentinel workspace is a Logic App (referred to as Playbooks in Azure Sentinel). For more background on using Logic Apps to collect from a data sourcecheck out this comprehensive blog from @Ofer_Shezaf .

 

Our Logic App will run on a set interval, query the Office 365 API for audit data, and then write that data into our Azure Sentinel workspace.  Below you can see the components that will go into the Logic App and instructions on how to deploy the Logic App via an ARM template. 

Visual view of Logic Apps flow.Visual view of Logic Apps flow.

To make this simple we have created this template for you to useThanks to @Nicholas DiCola (SECURITY JEDI) for making this into an ARM templatto make deployment quick and easy via the Deploy to Azure button on GitHubWhen deploying make sure that you populatthe settings with details from your Azure Sentinel Workspace and Azure AD app we configured. Additional details on how to deploy and configure these templates can be found here.

 

You should note that if you run this Logic App and there is no data available for the last 5 minutes it will fail, so if you test this and get a failure at the first HTTP step, check your audit log to see if there are any events that occurred within the last 5 minutes. This app collects all Audit.General events so it doesn’t need to be Teams specific events. 

This Logic App provides a quick and simple way to start ingesting logs via the Office 365 Management Activity API. However, it may be more efficient and cost effective to use an Azure Function to achieve the same thing. @Nicholas DiCola (SECURITY JEDI) has already produced an Azure Function to do thisdetails on the Function and how to use it can be found on GitHub. 

 

Optio2

This option was created by @Andrea_Piazza , Punit Acharya, and Maitreya Bodola from Microsoft Services and utilizes a wide range of Azure features to provide a robust and efficient solution.   

Option 2 architecture diagramOption 2 architecture diagram

 

Details on how to deploy this option can be found on our GitHub site.

 

Once your chosen connector is running you should see a custom table called O365API_CL appear in your Azure Sentinel workspace, and logs start to appear in it. Congratulations you are now collecting Teams events! 

 

Monitoring Teams 

As with most SaaS solutions, identity is a key attack vector when it comes to Teams and it should be protected and monitored. As Teams uses Azure Active Directory (Azure AD) for authentication you can collect Azure AD data into Azure Sentinel using the built in connector and use our detections and hunting queries to monitor for suspicious identity events with Azure Sentinel. But what about Teams specific threats? There are a number of scenarios that an attacker could attempt exploit in order to gain access to your organizations sensitive data with Teams that wouldn’t appear in Azure AD logs. Below we will look at some of these, as well as ideas of how to hunt and monitor for them. 

 

Parsing the Data 

Before building detections or hunting queries on the Teams data we collected we can use a KQL Function to parse and normalize the data to make it easier to use. For more background on Functions please read this blog. 

 

 In the case of Teams data we have a large number of fields in the Office 365 Management API that are used by other Office 365 services but not Teams, so the parser is going to help us select a subset of the fields relevant to Teams. You can find our suggested parser on GitHub but you can also modify this parser to fit your needs and preferences. 

 

 

 

 

 

 

 

O365API_CL
| where Workload_s =~ "MicrosoftTeams"
| project TimeGenerated,
          Workload=Workload_s,
          Operation=Operation_s,
          TeamName=columnifexists('TeamName_s', ""),
          UserId=columnifexists('UserId_s', ""),
          AddOnName=columnifexists('AddOnName_s', AddOnGuid_g),
          Members=columnifexists('Members_s', ""),
          Settings=iif(Operation_s contains "Setting", pack("Name", columnifexists('Name_s', ""), "Old Value", columnifexists('OldValue_s', ""), "New Value", columnifexists('NewValue_s', "")),""),
          Details=pack("Id", columnifexists('Id_g', ""),  "OrganizationId", columnifexists('OrganizationId_g', ""), "UserType", columnifexists('UserType_d', ""), "UserKey", columnifexists('UserKey_g', ""), "TeamGuid", columnifexists('TeamGuid_s', "")) 

 

 

 

 

 

 

 

For the queries we will look at in the following sections, we are going to save this parser with an alias of TeamsData. Details on configuring and using a Function as a parser can be found in this blog. 

 

Hunting Queries 

The following queries are designed to help you find suspicious activity in your Teams environment, and whilst many are likely to return legitimate activity as well as potentially malicious activity, they can be useful in guiding your hunting. If after running these queries you are confident with the results you could consider turning some or all of them into Azure Sentinel Analytics to alert on. We have included entity mapping elements at the end of each query that you can use if you choose to use them as Analytics. 

 

External users from anomalous organizations 

Mitre ATT&CK technique T1136  

One potential threat vector for Teams is the ability to add external contributors to your Teams environment. Whilst this feature provides vital collaboration capabilities with external organizations it also presents a means by which a malicious actor could gain access. Organizations will often collaborate closely with a small number of key partners and it is likely that many of the external users in Teams will be from these organizations. Therefore, we can look for potentially suspicious external users by looking at external users added to Teams who come from organizations we have not observed before.

 

 

 

 

 

 

 

// If you have more than 14 days worth of Teams data change this value 
let data_date = 14d; 
// If you want to look at users further back than the last day change this value 
let lookback_data = 1d; 
let known_orgs = ( 
TeamsData  
| where TimeGenerated > ago(data_date) 
| where Operation =~ "MemberAdded" or Operation =~ "TeamsSessionStarted" 
// Extract the correct UPN and parse our external organization domain 
| extend UPN = iif(Operation == "MemberAdded", tostring(parse_json(Members)[0].UPN), UserId) 
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0]) 
| where isnotempty(Organization) 
| summarize by Organization); 
TeamsData  
| where TimeGenerated > ago(lookback_data) 
| where Operation =~ "MemberAdded" 
| extend UPN = tostring(parse_json(Members)[0].UPN) 
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0]) 
| where isnotempty(Organization) 
| where Organization !in (known_orgs) 
// Uncomment the following line to map query entities is you plan to use this as a detection query 
//| extend timestamp = TimeGenerated, AccountCustomEntity = UPN 

 

 

 

 

 

 

 

 

External users added then removed  

Mitre ATT&CK technique T1136 

Attackers with some level of existing access might also look to add an external account to Teams in order to access or exfiltrate data before removing that user to hide the access. We can look for external accounts that are added to Teams then quickly removed to see if we can identify such behavior. 

 

 

 

 

 

 

 

// If you want to look at user added further than 7 days ago adjust this value 
let time_ago = 7d; 
// If you want to change the timeframe of how quickly accounts need to be added and removed change this value 
let time_delta = 1h; 
TeamsData  
| where TimeGenerated > ago(time_ago) 
| where Operation =~ "MemberAdded" 
| extend UPN = tostring(parse_json(Members)[0].UPN) 
| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName, TeamGuid = tostring(Details.TeamGuid) 
| join ( 
TeamsData  
| where TimeGenerated > ago(time_ago) 
| where Operation =~ "MemberRemoved" 
| extend UPN = tostring(parse_json(Members)[0].UPN) 
| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName, TeamGuid = tostring(Details.TeamGuid)) on UPN, TeamGuid 
| where TimeDeleted < (TimeAdded + time_delta) 
| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid 
// Uncomment the following line to map query entities is you plan to use this as a detection query 
//| extend timestamp = TimeAdded, AccountCustomEntity = UPN 

 

 

 

 

 

 

 

 

New bot or application added 

Mitre ATT&CK techniques T1176T1119 

Teams has the abilitto include apps or bots within a Team to extend the native feature set. Whilst many of these are included by default there is also the option to include custom bots and apps in a Team. An attacker could use such an app to establish persistence in Teams without a user account, or to access files or other data shared on Teams. We can hunt for new app or bot additions that have not been added to any Team within our organization before.  

 

 

 

 

 

 

 

// If you have more than 14 days worth of Teams data change this value 
let data_date = 14d; 
let historical_bots = ( 
TeamsData 
| where TimeGenerated > ago(data_date) 
| where isnotempty(AddOnName) 
| project AddOnName); 
TeamsData 
| where TimeGenerated > ago(1d) 
// Look for add-ins we have never seen before 
| where AddOnName in (historical_bots) 
// Uncomment the following line to map query entities is you plan to use this as a detection query 
//| extend timestamp = TimeGenerated, AccountCustomEntity = UserId 

 

 

 

 

 

 

 

 

User made Owner of multiple Teams 

Mitre ATT&CK technique T1078 

Commonly within an organization, users will set up Teams as needed for specific projects or topics and will own the Teams they create. Most organizations will have different Owners for each Team, and rarely will one user be an Owner of more than a small number of Teams. An attacker seeking to elevate privileges may look to make themselves Owner of a large number of Teams, we can monitor for a user being made an Owner in a large number of Teams.

 

 

 

 

 

 

 

// Adjust this value to change how many teams a user is made owner of before detecting 
let max_owner_count = 3; 
// Change this value to adjust how larger timeframe the query is run over. 
let time_window = 1d; 
let high_owner_count = (TeamsData 
| where TimeGenerated > ago(time_window) 
| where Operation =~ "MemberRoleChanged" 
| extend Member = tostring(parse_json(Members)[0].UPN)  
| extend NewRole = toint(parse_json(Members)[0].Role)  
| where NewRole == 2 
| summarize dcount(TeamName) by Member 
| where dcount_TeamName > max_owner_count 
| project Member); 
TeamsData 
| where TimeGenerated > ago(time_window) 
| where Operation =~ "MemberRoleChanged" 
| extend Member = tostring(parse_json(Members)[0].UPN)  
| extend NewRole = toint(parse_json(Members)[0].Role)  
| where NewRole == 2 
| where Member in (high_owner_count) 
| extend TeamGuid = tostring(Details.TeamGuid) 
// Uncomment the following line to map query entities is you plan to use this as a detection query 
//| extend timestamp = TimeGenerated, AccountCustomEntity = Member 

 

 

 

 

 

 

 

 

Multiple Teams deleted by a single user 

Mitre ATT&CK technique T1485T1489 

As with ownership of a Team, the process of deleting a Team is often one carried out by individual Owners rather than a single central user. Given Teams are often used for critical services such as incident management it is possible that an attacker looking to cause disruption could seek to delete multiple TeamsWe can monitor for a single user deleting multiple Teams to detect such activity and identify the malicious user. 

 

 

 

 

 

 

 

 // Adjust this value to change how many Teams should be deleted before including
 let max_delete = 3;
 // Adjust this value to change the timewindow the query runs over
 let time_window = 1d;
 let deleting_users = (
 TeamsData 
 | where TimeGenerated > ago(time_window)
 | where Operation =~ "TeamDeleted"
 | summarize count() by UserId
 | where count_ > max_delete
 | project UserId);
 TeamsData
 | where TimeGenerated > ago(time_window)
 | where Operation =~ "TeamDeleted"
 | where UserId in (deleting_users)
 | extend TeamGuid = tostring(Details.TeamGuid)
 | project-away AddOnName, Members, Settings
 // Uncomment the following line to map query entities is you plan to use this as a detection query
 //| extend timestamp = TimeGenerated, AccountCustomEntity = UserId

 

 

 

 

 

 

 

 

Other Hunting Opportunities

Once you have run these queries you can expand your hunting by combining these queries with other data sources such as Azure Active Directory or activity on other Office 365 workloads. For example you can combine our detection for suspicious patterns of Azure Active Directory SigninLogs to the Azure Portal and look for users appearing in that detection being made an owner of a Team:

 

 

 

 

 

 

 

let timeRange = 1d;
let lookBack = 7d;
let threshold_Failed = 5;
let threshold_FailedwithSingleIP = 20;
let threshold_IPAddressCount = 2;
let isGUID = "[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}";
let azPortalSignins = SigninLogs
| where TimeGenerated >= ago(timeRange)
// Azure Portal only and exclude non-failure Result Types
| where AppDisplayName has "Azure Portal" and ResultType !in ("0", "50125", "50140")
// Tagging identities not resolved to friendly names
| extend Unresolved = iff(Identity matches regex isGUID, true, false);
// Lookup up resolved identities from last 7 days
let identityLookup = SigninLogs
| where TimeGenerated >= ago(lookBack)
| where not(Identity matches regex isGUID)
| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;
// Join resolved names to unresolved list from portal signins
let unresolvedNames = azPortalSignins | where Unresolved == true | join kind= inner (
   identityLookup ) on UserId
| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName
| project-away lu_UserDisplayName, lu_UserPrincipalName;
// Join Signins that had resolved names with list of unresolved that now have a resolved name
let u_azPortalSignins = azPortalSignins | where Unresolved == false | union unresolvedNames;
let failed_signins = (u_azPortalSignins
| extend Status = strcat(ResultType, ": ", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)
| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)
| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()
by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation
| mvexpand TimeGenerated, IPAddresses, Status
| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)
| project-away IPAddresses
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation
| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP
| project UserPrincipalName);
TeamsData
| where TimeGenerated > ago(time_window)
| where Operation =~ "MemberRoleChanged"
| extend Member = tostring(parse_json(Members)[0].UPN) 
| extend NewRole = toint(parse_json(Members)[0].Role) 
| where NewRole == 2
| where Member in (failed_signins)
| extend TeamGuid = tostring(Details.TeamGuid)

 

 

 

 

 

 

 

 

In addition you can make the SigninLogs detections specific to Teams by adding a filter for only Teams based sign-ins with:

 

 

 

 

 

 

 

| where AppDisplayName startswith "Microsoft Teams"

 

 

 

 

 

 

 

 

For example this is our Successful logon from IP and failure from a different IP query scoped to only Teams sign-ins:

 

 

 

 

 

 

 

let timeFrame = 1d;
let logonDiff = 10m;
SigninLogs 
  | where TimeGenerated >= ago(timeFrame) 
  | where ResultType == "0" 
  | where AppDisplayName startswith "Microsoft Teams"
  | project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1])
  | join kind= inner (
      SigninLogs 
      | where TimeGenerated >= ago(timeFrame) 
      | where ResultType !in ("0", "50140") 
      | where ResultDescription !~ "Other"  
      | where AppDisplayName startswith "Microsoft Teams"
      | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription
  ) on UserPrincipalName, AppDisplayName 
  | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock
  | summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription 
  | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress

 

 

 

 

 

 

 

 

The Teams hunting queries detailed in this blog have been shared on the Azure Sentinel GitHub along with the parser and Logic App. We will be continuing to develop detections and hunting queries for Teams data over time so make sure you keep an eye on GitHub As always if you have your own ideas for queries or detections please feel free to contribute to the Azure Sentinel community. 

23 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1267211%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1267211%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20get%20the%20error%20(first%20PowerShell%20script)%3A%20'Invoke-WebRequest%20%3A%20The%20response%20content%20cannot%20be%20parsed%20because%20the%20Internet%20Explorer%20engine%20is%20not%20available'%2C%20the%20solution%20is%20to%20use%20the%20paramater%26nbsp%3B-UseBasicParsing%20at%20the%20end%20of%20the%20last%20line%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1267312%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1267312%22%20slang%3D%22en-US%22%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3EWhen%20you%20copy%2Fpaste%20the%20powershell%20code%20in%20Onenote%20like%20I%20did..%20some%20spaces%20don't%20survive%20the%20copy%2Fpaste%20so%20the%20commands%20fail.%20Just%20a%20fyi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20have%20to%20modify%20the%20Logic%20App%20to%20get%20it%20to%20work%3A%20replace%20the%20%3CTENANT%20id%3D%22%22%3E%20placeholder%20in%20the%20URI%20in%20the%20HTTP%20Get%20step%20(%234)%20and%20make%20sure%20in%20the%20final%20step%2C%20my%20Sentinel%20connection%20is%20validated.%26nbsp%3B%3C%2FTENANT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20these%20little%20tweaks..%20it%20worked%20as%20I%20see%20the%20O365API_CL%20custom%20log.%20Now%20the%20real%20work%20begins..%20monitoring%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1268911%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268911%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3Bwe%20have%20updated%20the%20LogicApp%20to%20include%20that%20%3CTENANT%20id%3D%22%22%3E%20as%20a%20parameter.%3C%2FTENANT%3E%3C%2FP%3E%0A%3CP%3EI%20have%20also%20uploaded%20that%20PowerShell%20as%20a%20text%20file%20to%20GitHub%20to%20make%20it%20easier%20to%20copy%20and%20paste.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1281198%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1281198%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%20Pete%2C%20this%20is%20very%20informative.%20Just%20FYI%2C%20I%20still%20had%20to%20manually%20update%20the%20TenantID%20in%20the%20playbook%20URI%20-%20for%20some%20reason%20it%20would%20not%20use%20the%20TenantId%20parameter%20and%20the%20connection%20recreated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20parser%2C%20some%20of%20the%20fields%20are%20not%20present%20so%20the%20sample%20queries%20would%20fail%2C%20I%20guess%20one%20needs%20some%20records%20with%20different%20type%20of%20Teams%20events%20in%20order%20to%20update%20the%20schema%3F%20Examples%3A%26nbsp%3BAddOnName_s%2C%20Name_s%2C%20OldValue_s%2C%20NewValue_s.%20If%20these%20are%20missing%20(like%20they%20do%20in%20our%20case)%20the%20adjusted%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ETeamsData%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eparser%20would%20be%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EO365API_CL%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Workload_s%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22MicrosoftTeams%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%2C%20Workload%3DWorkload_s%2C%20Operation%3DOperation_s%2C%20TeamName%3DTeamName_s%2C%20UserId%3DUserId_s%2C%20Members%3DMembers_s%2C%20Details%3Dpack(%3C%2FSPAN%3E%3CSPAN%3E%22Id%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20Id_g%2C%20%3C%2FSPAN%3E%3CSPAN%3E%22OrganizationId%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20OrganizationId_g%2C%20%3C%2FSPAN%3E%3CSPAN%3E%22UserType%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20UserType_d%2C%20%3C%2FSPAN%3E%3CSPAN%3E%22UserKey%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20UserKey_g%2C%20%3C%2FSPAN%3E%3CSPAN%3E%22TeamGuid%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20TeamGuid_s)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAlso%2C%20for%20the%20benefit%20of%20other%20readers%20(I%20know%20that%20the%20playbook%20in%20the%20article%20was%20just%20a%20quick%20example)%2C%20to%20avoid%20the%20playbook%20failed%20runs%20when%20there%20are%20no%20records%20to%20be%20retrieved%2C%20the%20playbook%20can%20be%20adjusted%20with%20an%20%22if%22%20condition%20to%20check%20for%20the%20length%20of%20the%20body%20of%20the%20first%20HTTP%20request%20(if%20larger%20than%200%2C%20then%20execute%20the%20rest%20of%20the%20actions%3A%20Parse%20json%2C%20HTTP%20request%20for%20the%20actual%20records%20and%20sending%20the%20data%20to%20Log%20Analytics).%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1282559%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1282559%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20noticed%20that%20the%20fields%20I'm%20missing%20are%20all%20related%20to%20the%20product-specific%20schema%20mentioned%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%20Is%20there%20some%20additional%20logging%20or%20permissions%20that%20needs%20to%20be%20enabled%20to%20get%20those%20events%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1282685%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1282685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3Bcouldn't%20the%20Sentinel%20'Office%20365'%20Data%20Connector%20be%20updated%20to%20include%20the%20other%20workloads%20outside%20of%20SharePoint%2FOneDrive%20and%20Exchange%3F%20At%20the%20least%20Microsoft%20Teams%20should%20be%20added%20vs.%20creating%20registering%20graph%20applications%20and%20running%20Logic%20Apps%2FPower%20Automate%20or%20Azure%20Functions%20to%20archive%20the%20same%20thing.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorMichael%20LaMontagne_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285366%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285366%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3Bthis%20feedback%20is%20really%20useful%20to%20us.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20updated%20the%20parser%20to%20use%20columnifexists()%20to%20allow%20it%20to%20be%20more%20tolerant%20of%20missing%20fields.%20The%20new%20parser%20looks%20like%20this%3A%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EO365API_CL%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Workload_s%20%3D~%20%3C%2FSPAN%3E%3CSPAN%3E%22MicrosoftTeams%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EWorkload%3DWorkload_s%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EOperation%3DOperation_s%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ETeamName%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'TeamName_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EUserId%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserId_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EAddOnName%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'AddOnName_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20AddOnGuid_g%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EMembers%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Members_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ESettings%3Diif%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EOperation_s%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22Setting%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20pack%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%22Name%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Name_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22Old%20Value%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'OldValue_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22New%20Value%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'NewValue_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E))%2C%3C%2FSPAN%3E%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EDetails%3Dpack%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%22Id%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Id_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22OrganizationId%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'OrganizationId_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22UserType%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserType_d'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22UserKey%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserKey_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22TeamGuid%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'TeamGuid_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E))%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThis%20will%20be%20in%20the%20GitHub%20shortly.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EI%20will%20also%20look%20at%20the%20ARM%20template%20to%20work%20out%20why%20TenantId%20isn't%20being%20automatically%20populated.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285374%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285374%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609956%22%20target%3D%22_blank%22%3E%40Lokaalin%3C%2FA%3E%26nbsp%3Bif%20you%20have%20the%20product%20enabled%20and%20have%20Auditing%20enabled%20you%20should%20see%20these%20events.%20Do%20you%20see%20these%20events%20in%20the%20Audit%20Log%20viewer%20in%20the%20O356%20portal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288735%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288735%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20post%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20noticed%20a%20minor%20bug%20in%20the%20%22%3CSTRONG%3EExternal%20Users%20Added%20then%20Removed%3C%2FSTRONG%3E%22-query.%3C%2FP%3E%3CP%3EWhen%20a%20user%20is%20removed%20from%20a%20team%20it%20appears%20that%20the%20userid%20is%20prepended%20to%20the%20actual%20UPN%20which%20means%20that%20the%20join%20wont%20match%20the%20add%20event%20with%20the%20remove%20event%2C%20for%20example%20%22test1%40org.com%22%20would%20in%20the%20remove%20event%20become%20%22xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxtest1%40org.com%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20simple%20fix%20below%3A%3C%2FP%3E%3CPRE%3E%2F%2F%20If%20you%20want%20to%20look%20at%20user%20added%20further%20than%207%20days%20ago%20adjust%20this%20value%20%0Alet%20time_ago%20%3D%207d%3B%20%0A%2F%2F%20If%20you%20want%20to%20change%20the%20timeframe%20of%20how%20quickly%20accounts%20need%20to%20be%20added%20and%20removed%20change%20this%20value%20%0Alet%20time_delta%20%3D%201h%3B%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_ago)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberAdded%22%0A%7C%20extend%20UPN%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%0A%7C%20project%20TimeAdded%3DTimeGenerated%2C%20Operation%2C%20UPN%2C%20UserWhoAdded%20%3D%20UserId%2C%20TeamName%2C%20TeamGuid%20%3D%20tostring(Details.TeamGuid)%20%0A%7C%20join%20(%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_ago)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberRemoved%22%20%0A%7C%20extend%20UPN%20%3D%20%3CSTRONG%3E%3CFONT%20color%3D%22%23339966%22%3Etrim_start(%40%22%5B0-9a-%3C%2FFONT%3E%3CFONT%20color%3D%22%23339966%22%3EfA-F%5D%7B32%7D%22%2C%20tostring(parse_json(Members)%5B0%5D.UPN))%3C%2FFONT%3E%3C%2FSTRONG%3E%0A%7C%20project%20TimeDeleted%3DTimeGenerated%2C%20Operation%2C%20UPN%2C%20UserWhoDeleted%20%3D%20UserId%2C%20TeamName%2C%20TeamGuid%20%3D%20tostring(Details.TeamGuid))%20on%20UPN%2C%20TeamGuid%20%0A%7C%20where%20TimeDeleted%20%26lt%3B%20(TimeAdded%20%2B%20time_delta)%20%0A%7C%20project%20TimeAdded%2C%20TimeDeleted%2C%20UPN%2C%20UserWhoAdded%2C%20UserWhoDeleted%2C%20TeamName%2C%20TeamGuid%3C%2FPRE%3E%3CP%3EAlso%2C%20this%20does%20not%20look%20for%20external%20users%20per%20se%2C%20it%20will%20catch%20intra%20org%20users%20as%20well.%20Would%20need%20to%20add%20the%20organization%20filter%20from%20the%20%22External%20users%20from%20anomolous%20organizations%22%20query%20and%20probably%20a%20parameter%20for%20%22trusted%20organizations%22%20for%20this%20to%20look%20explicitly%20for%20external%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20up%20the%20great%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1289835%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289835%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16012%22%20target%3D%22_blank%22%3E%40Michael%20LaMontagne%3C%2FA%3E%26nbsp%3Bthis%20is%20being%20worked%20on%20as%20we%20speak.%20Given%20the%20increase%20in%20Teams%20usage%20we%20wanted%20to%20give%20you%20a%20solution%20that%20gives%20you%20the%20ability%20to%20collect%20and%20monitor%20Teams%20data%20immediately%20whilst%20we%20work%20on%20a%20connector.%20We%20will%20be%20updating%20this%20blog%20when%20the%20connector%20is%20released.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1294452%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1294452%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3BI%20am%20having%20issues%20with%20parser.%20But%20when%20i%20remove%20%22AddOnGuid_g%22%20from%20parser..%20Works%20without%20error..%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20641px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183273i7F8B4E37892A2BC1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enot%20sure%2C%20if%20it%20is%20typo%20or%20variables%20will%20be%20different%20from%20different%20customers.....%20it%20also%20works%20when%20I%20change%20parser%20to%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EO365API_CL%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Workload_s%20%3D~%20%3C%2FSPAN%3E%3CSPAN%3E%22MicrosoftTeams%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWorkload%3DWorkload_s%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EOperation%3DOperation_s%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ETeamName%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'TeamName_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EUserId%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserId_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CFONT%3EAddOnName%3Dcolumnifexists('AddOnName_s'%2C%20%3CFONT%20color%3D%22%23ff0000%22%3EAddOnGuid_s%3C%2FFONT%3E)%2C%26nbsp%3B%26nbsp%3B%20%3CFONT%20color%3D%22%23ff0000%22%3E%26lt%3B--%20Updated%20AddOnGuid_g%20to%20AddOnGuid_s%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EMembers%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Members_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ESettings%3Diif%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EOperation_s%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22Setting%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20pack%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%22Name%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Name_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22Old%20Value%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'OldValue_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22New%20Value%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'NewValue_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E))%2C%3C%2FSPAN%3E%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDetails%3Dpack%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%22Id%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'Id_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22OrganizationId%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'OrganizationId_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22UserType%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserType_d'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22UserKey%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'UserKey_g'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22TeamGuid%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20columnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'TeamGuid_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%20%3CSPAN%3E%22%22%3C%2FSPAN%3E%3CSPAN%3E))%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295989%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295989%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F605530%22%20target%3D%22_blank%22%3E%40msraj%3C%2FA%3E%26nbsp%3Bthis%20is%20another%20one%20where%20the%20schema%20hasn't%20filled%20out%20yet%20as%20you%20haven't%20seen%20that%20event.%26nbsp%3B%3CBR%20%2F%3ETwo%20options%20to%20solve%20this%20-%20one%20is%20to%20add%20an%20addon%20to%20one%20of%20your%20Teams%20to%20create%20the%20event%20and%20populate%20that%20field%20in%20the%20schema.%3C%2FP%3E%0A%3CP%3EYour%20other%20option%20is%20to%20add%20another%20columnifexist()%20to%20the%20query%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETeamName%3Dcolumnifexists%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E'TeamName_s'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3Bcolumnifexists('TeamName_g'%2C%26nbsp%3B%22%22)%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1289158%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289158%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573665%22%20target%3D%22_blank%22%3E%40wadstromdev%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20a%20new%20version%20of%20this%20query%20up%20on%20GitHub%20already%20that%20addresses%20some%20of%20this%20by%20adding%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%20%20%7C%20where%20UPN%20contains%20(%22%23EXT%23%22)%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20should%20have%20included%20this%20originally%20as%20this%20scopes%20it%20to%20external%20users%20only%20(Azure%20AD%20creates%20external%20users%20accounts%20as%20username_domain%23EXT%23%40o365tenant.com)%20and%20allows%20us%20to%20use%20the%20UPN%20as%20a%20unique%20identifier.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20haven't%20observed%20the%20userid%20prepending%20you%20are%20seeing%20but%20I%20will%20go%20and%20do%20some%20additional%20testing%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298369%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298369%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E.%20That%20works%20for%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382916%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3BIs%20there%20any%20timeline%20for%20when%20Teams%20will%20be%20included%20in%20the%20O365%20connector%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396047%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396047%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20else%20getting%20errors%20that%20the%20followings%20cmdlets%20cannot%20be%20found%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EInvoke-RestMethod%3C%2FLI%3E%3CLI%3EInvoke-WebRequest%3C%2FLI%3E%3C%2FUL%3E%3CP%3EFor%20context%2C%20what%20I%20have%20done%20is%20replaced%20the%20values%20with%20my%20azure%20data%20and%20save%20the%20file%20as%20.ps1%20then%20ran%20the%20file%20afterwards.%3C%2FP%3E%3CP%3EPowershell%20version%3A%205.1%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%23%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESaved%20below%20as%20.ps1%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%23%20Populate%20with%20App%20ID%20and%20Secret%20from%20your%20Azure%20AD%20app%20registration%20%0A%24ClientID%20%3D%20%22%26lt%3Bapp_id%26gt%3B%22%E2%80%AF%20%0A%24ClientSecret%E2%80%AF%3D%20%22%26lt%3Bclient_secret%26gt%3B%22%E2%80%AF%20%0A%24loginURL%E2%80%AF%3D%20%22https%3A%2F%2Flogin.microsoftonline.com%2F%22%E2%80%AF%20%0A%24tenantdomain%E2%80%AF%3D%20%22%26lt%3Bdomain%26gt%3B.onmicrosoft.com%22%E2%80%AF%20%0A%23%20Get%20the%20tenant%20GUID%20from%20Properties%20%7C%20Directory%20ID%20under%20the%20Azure%20Active%20Directory%20section%20%0A%24TenantGUID%E2%80%AF%3D%20%22%26lt%3BTenant%20GUID%26gt%3B%22%E2%80%AF%20%0A%24resource%20%3D%20%22https%3A%2F%2Fmanage.office.com%22%E2%80%AF%20%0A%24body%20%3D%20%40%7Bgrant_type%3D%22client_credentials%22%3Bresource%3D%24resource%3Bclient_id%3D%24ClientID%3Bclient_secret%3D%24ClientSecret%7D%E2%80%AF%0A%24oauth%E2%80%AF%3D%20Invoke-RestMethod%E2%80%AF-Method%20Post%20-Uri%20%24loginURL%2F%24tenantdomain%2Foauth2%2Ftoken%3Fapi-version%3D1.0%20-Body%20%24body%E2%80%AF%20%0A%24headerParams%E2%80%AF%3D%20%40%7B'Authorization'%3D%22%24(%24oauth.token_type)%20%24(%24oauth.access_token)%22%7D%E2%80%AF%E2%80%AF%20%0A%24publisher%20%3D%20New-Guid%0AInvoke-WebRequest%E2%80%AF-Method%20Post%20-Headers%20%24headerParams%E2%80%AF-Uri%20%22https%3A%2F%2Fmanage.office.com%2Fapi%2Fv1.0%2F%24tenantGuid%2Factivity%2Ffeed%2Fsubscriptions%2Fstart%3FcontentType%3DAudit.General%26amp%3BPublisherIdentifier%3D%24Publisher%22%E2%80%AF%20%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1402421%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1402421%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3B%20I%20was%20doing%20this%20integration.%20But%20i%20want%20to%20know%20where%20I%20can%20get%20the%20O365%20publisher%20name%20which%20is%20required%20while%20deploying%20the%20arm%20template.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1403424%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403424%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%26nbsp%3B%20-%20that%20value%20is%20the%20GUID%20you%20generated%20as%20part%20of%20the%26nbsp%3B%3CSPAN%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3ERegis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eering%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ehe%20API%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Es%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eubscrip%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eion%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW207115624%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3Bsection.%20The%20line%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%24publisher%20%3D%20New-Guid%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EThis%20generates%20the%20GUID%20for%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20didn't%20capture%20it%20at%20that%20point%20simply%20run%20the%20below%20to%20get%20available%20subscriptions%3A%3C%2FP%3E%0A%3CPRE%3E%26nbsp%3Bhttps%3A%2F%2Fmanage.office.com%2Fapi%2Fv1.0%2F%24tenantGuid%2Factivity%2Ffeed%2Fsubscriptions%2Flist%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415215%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415215%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EFirst%20of%20all%2C%20great%20Article%2C%20I%20think%20it's%20super%20helpful%20and%20I%20wish%20later%20down%20the%20road%20the%20entire%20O365API%20management%20will%20become%20part%20of%20the%20existing%20O365%20Collector%20today.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETwo%20things%20I've%20noticed%20that%20could%20be%20helpful%3A%3C%2FP%3E%3CP%3E1.%20On%20the%20recent%20change%20for%20the%20parser%20in%20GitHub%2C%20it%20seems%20as%20the%20name%20of%20the%20column%20for%20%3CSTRONG%3ETimeGenerated%3C%2FSTRONG%3E%26nbsp%3Bhas%20changed%20to%20%3CSTRONG%3ECreationTime%2C%20%3C%2FSTRONG%3Eand%20I%20think%20there%20is%20also%20a%20Typo%20with%20another%20Column%20named%20Add%3CU%3E%3CSTRONG%3Ed%3C%2FSTRONG%3E%3C%2FU%3EOnName%2C%20hence%20all%20the%20queries%20in%20this%20blog%20might%20result%20an%20error%20as%20they%20reference%20TimeGenerated.%3C%2FP%3E%3CP%3E2.%20You%20mentioned%20that%20as%20well%20above%2C%20but%20when%20going%20with%20Option%20%231%20and%20deploying%20from%20GitHub%2C%20it%20ask%20you%20for%20the%20O365%20GUID%20of%20the%20RegisteredApp%20which%20the%20comments%20do%20not%20mention.%20Also%2C%20it%20states%20a%20KEY%20which%20you%20need%20to%20grab%20from%20the%20workspace%20advance%20settings%2C%20though%20no%20mention%20of%20that%20exists%20in%20the%20Deployment%20from%20GitHub.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448012%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448012%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20great%20info%3B%20sharing%20with%20my%20Linkedin%20Network%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523389%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523389%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20thx%20for%20the%20helpful%20blog.%20When%20i%20run%20the%20playbook%20i%20got%20an%20error%20messages%20during%20the%20stage%20%22run%20query%20and%20list%20results%22%20.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113210%22%20target%3D%22_blank%22%3E%40Pete%20Bryan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBad%20request%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22User%26nbsp%3Binput%26nbsp%3Bis%26nbsp%3Binvalid.%26nbsp%3BPlease%26nbsp%3Bcheck%26nbsp%3Bquery%26nbsp%3Bsyntax%2C%26nbsp%3BChart%26nbsp%3BType%26nbsp%3Bor%26nbsp%3Bother%26nbsp%3Bparameters%26nbsp%3Bdata.%26nbsp%3BResponse%26nbsp%3BStatus%3DHttpJsonResponse%3A%26nbsp%3BResultStatus%3DBadRequest%2C%26nbsp%3BResponse%26nbsp%3BContent%3D%7B%5Cr%5Cn%26nbsp%3B%26nbsp%3B%5C%22error%5C%22%3A%26nbsp%3B%7B%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22message%5C%22%3A%26nbsp%3B%5C%22The%26nbsp%3Brequest%26nbsp%3Bhad%26nbsp%3Bsome%26nbsp%3Binvalid%26nbsp%3Bproperties%5C%22%2C%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22code%5C%22%3A%26nbsp%3B%5C%22BadArgumentError%5C%22%2C%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22innererror%5C%22%3A%26nbsp%3B%7B%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22code%5C%22%3A%26nbsp%3B%5C%22SemanticError%5C%22%2C%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22message%5C%22%3A%26nbsp%3B%5C%22A%26nbsp%3Bsemantic%26nbsp%3Berror%26nbsp%3Boccurred.%5C%22%2C%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22innererror%5C%22%3A%26nbsp%3B%7B%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22code%5C%22%3A%26nbsp%3B%5C%22SEM0100%5C%22%2C%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5C%22message%5C%22%3A%26nbsp%3B%5C%22'summarize'%26nbsp%3Boperator%3A%26nbsp%3BFailed%26nbsp%3Bto%26nbsp%3Bresolve%26nbsp%3Bscalar%26nbsp%3Bexpression%26nbsp%3Bnamed%26nbsp%3B'CreationTime_t'%5C%22%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%5Cr%5Cn%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%5Cr%5Cn%26nbsp%3B%26nbsp%3B%7D%5Cr%5Cn%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3EThx%20for%20your%20help%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265761%22%20slang%3D%22en-US%22%3EProtecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EAzure%20Sentinel%20now%20has%20an%20integrated%20connector%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-office-365%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%26nbsp%3BThis%20is%20the%20recommended%20route%20for%20collecting%20these%20logs%20and%20supersedes%26nbsp%3Bthe%20collection%20methods%20described%26nbsp%3Bbelow.%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EUpdated%20versions%20of%20the%20queries%20in%20the%20blog%20that%20work%20with%20data%20collected%20via%20the%20official%20connector%20have%20been%20shared%20via%20the%20Azure%20Sentinel%20GitHub.%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%3CBR%20%2F%3E%3CBR%20%2F%3ERecent%20events%20have%20forced%20many%20organizations%20(including%20Microsoft)%20to%20move%20to%20a%20work%20from%20home%20model%20for%20their%20users.%20In%20order%20to%20ensure%20their%26nbsp%3Busers%26nbsp%3Bremain%20connected%20and%20productive%20they%20are%20turning%20to%20productivity%20tools%20such%20as%20Microsoft%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%26nbsp%3BWe%20have%20seen%20an%20unprecedented%20spike%20in%20%3CEM%3ETeams%3C%2FEM%3E%20usage%2C%20and%20now%20have%20more%20than%2044%20million%20daily%20users%2C%20a%20figure%20that%20has%20grown%20by%2012%20million%20in%20just%20the%20last%20seven%20days.%20And%20those%20users%20have%20generated%20over%20900%20million%20meeting%20and%20calling%20minutes%20on%20Teams%20each%20day%20this%20week.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3EMy%20own%20team%20has%20significantly%20increased%20our%20usage%20of%26nbsp%3BTeams%26nbsp%3Bover%20the%20last%20few%20weeks%20with%20more%20virtual%20meetings%2C%20corridor%20conversations%20becoming%20text%20chats%2C%20and%20virtual%20social%20times%20organized%20during%20lunch%20breaks.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMoving%20to%2C%20or%20increasing%20usage%20of%2C%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emeans%20that%20the%20service%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bshould%20be%20more%20of%20a%20focus%20for%20defenders%20than%20ever%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bdue%20to%20its%20critical%20role%20in%20communications%20and%20data%20sharing.%20There%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fsecurity-compliance-overview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Emultiple%20features%3C%2FA%3E%20to%20help%20you%20secure%20your%20Team%E2%80%99s%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eusage%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebut%20in%20this%26nbsp%3Bblog%26nbsp%3Bwe%20are%20going%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efocus%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehow%20we%20can%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecollect%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eactivity%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elogs%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewith%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%2C%20and%20how%20a%20SOC%20team%20can%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estart%20hunting%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ein%20that%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%20to%20protect%20thier%20organization%20and%20users%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--1382139395%22%20id%3D%22toc-hId--1382139395%22%20id%3D%22toc-hId--1382139395%22%20id%3D%22toc-hId--1382139395%22%20id%3D%22toc-hId--1382139395%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECollecting%26nbsp%3BTeams%26nbsp%3BData%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3EThis%20section%20explains%20how%20to%20ingest%20%3CEM%3ETeams%20%3C%2FEM%3Elogs%20into%26nbsp%3BAzure%20Sentinel%20via%20the%20O365%20Management%20Activity%20API.%20Due%20to%20the%20flexibility%20of%20Azure%20there%20are%20multiple%20paths%20to%20a%20solutions%2C%20of%20which%20this%20blog%20outlines%202.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20option%20leverages%20an%20Azure%20Logic%20App%20is%20suitable%20when%20the%20requirements%20are%20to%20quickly%20ingest%20logs%20into%20Sentinel%20with%20a%20couple%20of%20clicks%20and%20is%20best%20suited%20to%20smaller%2C%20or%20test%20environments.%20The%20second%20option%20uses%20an%20Azure%20Function%20App%20which%20is%20more%20cost%20efficient%20at%20large%20volumes%20and%20includes%20a%20number%20of%20additional%20features%20such%20as%20extended%20logs%20storage.%20This%20should%20be%20considered%20the%20primary%20option%20for%20enterprise%20scale%20deployment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId--691577921%22%20id%3D%22toc-hId--691577921%22%20id%3D%22toc-hId--691577921%22%20id%3D%22toc-hId--691577921%22%20id%3D%22toc-hId--691577921%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnabling%20Audit%26nbsp%3BLogs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eactivity%20data%20is%20exposed%20in%20the%20Office%20365%20Audit%20log%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bunder%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAudit.General%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esubscription%2C%20and%20this%20source%20is%20used%20by%20both%20collection%20methods.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBy%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edefault%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BAudit%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elogs%20are%20not%20collected%20for%20Office%20365%20tenants%2C%20however%20they%20contain%20valuable%20data%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eall%20sorts%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOffice%20365%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eactivity%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20I%20would%20strongly%20advise%20enabling%20Audit%20logging%20whether%20you%20are%20using%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%20not.%20Details%20on%20how%20to%20enable%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthe%20Office%20365%20audit%20log%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecan%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fturn-audit-log-search-on-or-off%3Fview%3Do365-worldwide%26nbsp%3B%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20audit%20logging%20is%20enabled%20you%20can%20proceed%20to%20deploy%20your%20chosen%20connection%20method.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1795934912%22%20id%3D%22toc-hId-1795934912%22%20id%3D%22toc-hId-1795934912%22%20id%3D%22toc-hId-1795934912%22%20id%3D%22toc-hId-1795934912%22%3E%3CSTRONG%3EOption%201%3A%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EThis%20option%20leverages%20the%20below%20components%20and%20provides%20a%20quick%20and%20easy%20way%20to%20deploy%20connector.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorPete%20Bryan_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22arch1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189067iD6776F69611A1695%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22arch1.png%22%20alt%3D%22Option%201%20architecture%20diagram%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EOption%201%20architecture%20diagram%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--1808470910%22%20id%3D%22toc-hId--1808470910%22%20id%3D%22toc-hId--1808470910%22%20id%3D%22toc-hId--1808470910%22%20id%3D%22toc-hId--1808470910%22%3EDeployment%20steps%3A%3C%2FH4%3E%0A%3CH4%20aria-level%3D%223%22%20id%3D%22toc-hId-679041923%22%20id%3D%22toc-hId-679041923%22%20id%3D%22toc-hId-679041923%22%20id%3D%22toc-hId-679041923%22%20id%3D%22toc-hId-679041923%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERegister%20an%20App%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20order%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehandle%26nbsp%3Bthe%20aut%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehentication%20and%20authorization%26nbsp%3Bto%20collect%26nbsp%3Bdata%20from%26nbsp%3Bthe%20API%20we%20are%20going%26nbsp%3Bto%20register%20an%20Azure%20AD%20app%20and%20authorize%20it%26nbsp%3Bto%20access%26nbsp%3Bthe%20API.%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3ETo%20do%26nbsp%3Bthis%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bnavigate%26nbsp%3Bto%26nbsp%3Bthe%20Azure%20Active%20Directory%20blade%20of%20your%20Azure%20portal%20and%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfollow%26nbsp%3Bthe%20steps%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20class%3D%22lia-list-style-type-lower-alpha%22%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp%20Registrations%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%26nbsp%3B%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENew%20Registration%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGive%20it%26nbsp%3Ba%20name%20and%20c%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elick%20Register.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAPI%20Permissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eb%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elade.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%20a%20Permission%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOffice%20365%20Management%26nbsp%3BAPIs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApplication%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AFPermissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EActivityFeed.Read%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Click%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%26nbsp%3Bpermissions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Egrant%26nbsp%3Badmin%20consent%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECertificates%20and%20Secrets%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENew%20Client%26nbsp%3BSecret%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEnter%20a%20description%2C%20select%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enever%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Click%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%98%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3EIMPORTANT%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E-%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20copy%20next%26nbsp%3Bto%26nbsp%3Bthe%20new%20secret%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estore%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bit%26nbsp%3Bsomewhere%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etemporarily%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20You%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecannot%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AFcome%20back%26nbsp%3Bto%20get%26nbsp%3Bthe%20secret%26nbsp%3Bonce%20you%20leave%26nbsp%3Bthe%20blade.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECopy%26nbsp%3Bthe%20client%26nbsp%3BId%20from%26nbsp%3Bthe%20application%20properties%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estore%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bit%26nbsp%3Bsomewhere.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251)%22%20data-font%3D%22Calibri%22%20data-listid%3D%2218%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eopy%26nbsp%3Bthe%26nbsp%3Btenant%26nbsp%3BId%20from%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emain%20Azure%20Active%20Directory%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eblade%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20store%20it%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22gif.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180699i44D80B138B3BB075%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22gif.gif%22%20alt%3D%22Video%20showing%20App%20Registration%20process%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EVideo%20showing%20App%20Registration%20process%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20get%26nbsp%3Bstuck%20with%20any%20of%26nbsp%3Bthe%20above%20steps%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethere%20are%20more%20details%20available%20on%20how%26nbsp%3Bto%20register%20your%20app%20available%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskype-sdk%2Fucwa%2Fregisteringyourapplicationinazuread%26nbsp%3B%2520%20%26nbsp%3B%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--1128412540%22%20id%3D%22toc-hId--1128412540%22%20id%3D%22toc-hId--1128412540%22%20id%3D%22toc-hId--1128412540%22%20id%3D%22toc-hId--1128412540%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3ERegis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eering%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ehe%20API%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Es%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207115624%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eubscrip%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207115624%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Eion%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW207115624%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22EOP%20SCXW207115624%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eo%20collec%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehis%20audi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3Bda%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ea%20via%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehe%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW26045914%20BCX0%22%3EOffice%20365%20Managemen%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3BAc%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eivi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ey%20API%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ewe%20need%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eo%20regis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eer%20i%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3Bas%20a%20subscrip%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eion.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehis%20can%20be%20done%20via%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW26045914%20BCX0%22%3EPower%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3ES%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehell.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehe%20firs%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3Bs%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eep%20will%20be%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eo%20comple%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ee%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehe%20commands%20below%20wi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eh%20da%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ea%20from%20your%20subscrip%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eion%20and%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehe%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3EAzure%20AD%20app%20we%20jus%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3Bregis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eered%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E%26nbsp%3Bin%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Ehe%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eprevious%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Es%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3Eep%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW26045914%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW26045914%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW26045914%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%23%20Populate%20with%20App%20ID%20and%20Secret%20from%20your%20Azure%20AD%20app%20registration%20%0A%24ClientID%20%3D%20%22%3CAPP_ID%3E%22%E2%80%AF%20%0A%24ClientSecret%E2%80%AF%3D%20%22%3CCLIENT_SECRET%3E%22%E2%80%AF%20%0A%24loginURL%E2%80%AF%3D%20%22https%3A%2F%2Flogin.microsoftonline.com%2F%22%E2%80%AF%20%0A%24tenantdomain%E2%80%AF%3D%20%22%3CDOMAIN%3E.onmicrosoft.com%22%E2%80%AF%20%0A%23%20Get%20the%20tenant%20GUID%20from%20Properties%20%7C%20Directory%20ID%20under%20the%20Azure%20Active%20Directory%20section%20%0A%24TenantGUID%E2%80%AF%3D%20%22%3CTENANT%20guid%3D%22%22%3E%22%E2%80%AF%20%0A%24resource%20%3D%20%22https%3A%2F%2Fmanage.office.com%22%E2%80%AF%20%0A%24body%20%3D%20%40%7Bgrant_type%3D%22client_credentials%22%3Bresource%3D%24resource%3Bclient_id%3D%24ClientID%3Bclient_secret%3D%24ClientSecret%7D%E2%80%AF%0A%24oauth%E2%80%AF%3D%20Invoke-RestMethod%E2%80%AF-Method%20Post%20-Uri%20%24loginURL%2F%24tenantdomain%2Foauth2%2Ftoken%3Fapi-version%3D1.0%20-Body%20%24body%E2%80%AF%20%0A%24headerParams%E2%80%AF%3D%20%40%7B'Authorization'%3D%22%24(%24oauth.token_type)%20%24(%24oauth.access_token)%22%7D%E2%80%AF%E2%80%AF%20%0A%24publisher%20%3D%20New-Guid%0AInvoke-WebRequest%E2%80%AF-Method%20Post%20-Headers%20%24headerParams%E2%80%AF-Uri%20%22https%3A%2F%2Fmanage.office.com%2Fapi%2Fv1.0%2F%24tenantGuid%2Factivity%2Ffeed%2Fsubscriptions%2Fstart%3FcontentType%3DAudit.General%26amp%3BPublisherIdentifier%3D%24Publisher%22%E2%80%AF%20%3C%2FTENANT%3E%3C%2FDOMAIN%3E%3C%2FCLIENT_SECRET%3E%3C%2FAPP_ID%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20are%20having%20copy%20and%20paste%20issues%20with%20these%20commands%20you%20can%20find%20them%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FPlaybooks%2FGet-O365Data%2Fps_commands.txt%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%3C%2FA%3E%20as%20well.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW225719438%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW225719438%20BCX0%22%3EOnce%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehis%20is%20done%20you%20can%20run%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehe%20commands%20in%20PowerShell.%20If%20you%20ge%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ean%20error%20message%20s%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ea%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eing%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehe%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eenan%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Edoesn%E2%80%99%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eexis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehis%20means%20your%20provisioning%20of%20audi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elogging%20has%20no%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eye%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ebeen%20comple%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eed.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehis%20can%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eake%20several%20hours%20so%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eake%20a%20break%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225719438%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3E%2C%20do%20some%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Ehing%20relaxing%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225719438%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eand%20check%20back%20la%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eer.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225719438%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3EIf%20you%20con%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Einue%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eo%20have%20issues%20addi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eional%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eroubleshoo%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225719438%20BCX0%22%3Eing%20guidance%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Ftroubleshooting-the-office-365-management-activity-api%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-1359100293%22%20id%3D%22toc-hId-1359100293%22%20id%3D%22toc-hId-1359100293%22%20id%3D%22toc-hId-1359100293%22%20id%3D%22toc-hId-1359100293%22%3E%3CSPAN%20class%3D%22EOP%20SCXW225719438%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20SCXW91724582%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW91724582%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3EDeploy%20a%20Logic%20App%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW91724582%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20final%20piece%26nbsp%3Bto%20collect%26nbsp%3Bthe%20data%20and%20ingest%26nbsp%3Bit%26nbsp%3Binto%20our%20Azure%20Sentinel%20workspace%20is%20a%20Logic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp%20(referred%26nbsp%3Bto%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BPlaybooks%20in%20Azure%20Sentinel)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20For%20more%20background%20on%20using%20Logic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApps%26nbsp%3Bto%20collect%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efrom%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%20source%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Echeck%20out%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-creating-custom-connectors%2Fba-p%2F864060%22%20target%3D%22_self%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethis%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcomprehensive%20blog%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOur%20Logic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwill%20run%20on%20a%20set%26nbsp%3Binterval%2C%20query%26nbsp%3Bthe%20Office%20365%20API%20for%20audit%26nbsp%3Bdata%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%26nbsp%3Bthen%20write%26nbsp%3Bthat%26nbsp%3Bdata%20into%20our%20Azure%20Sentinel%20workspace.%3C%2FSPAN%3E%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3EBelow%20you%20can%20see%26nbsp%3Bthe%20components%26nbsp%3Bthat%26nbsp%3Bwill%20go%20into%26nbsp%3Bthe%20Logic%20App%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20instructions%20on%20how%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edeploy%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogic%20App%20via%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ean%20ARM%26nbsp%3Btemplate%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LA.png%22%20style%3D%22width%3A%20663px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180691i4100585BAAA8197C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22LA.png%22%20alt%3D%22Visual%20view%20of%20Logic%20Apps%20flow.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EVisual%20view%20of%20Logic%20Apps%20flow.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20make%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehis%20simple%20we%20have%20crea%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eed%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-O365Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehis%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eempla%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ee%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Bfor%20you%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20us%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ee%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3ET%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehanks%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Bfor%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Emaking%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehis%20in%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Ban%20ARM%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eempla%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ee%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20make%20deploymen%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Bquick%20and%20easy%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Bvia%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehe%20Deploy%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20Azure%20bu%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eon%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3En%20Gi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3EHub%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3EWhen%20deploying%20make%20sure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eha%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%26nbsp%3Byou%20popula%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ee%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehe%20se%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eings%20wi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eh%20de%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eails%20from%20your%20Azure%20Sen%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Einel%20Workspace%20and%20Azure%20AD%20app%20we%20configured.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3EAddi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eional%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ede%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eails%20on%20how%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eo%20deploy%20and%20configure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ehese%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Eempla%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3Ees%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FPlaybooks%2FReadMe.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20should%20note%20that%20if%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eyou%20run%20this%20Logic%20App%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethere%20is%20no%20data%20available%20for%20the%20last%205%20minutes%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bit%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwill%20fail%2C%20so%20if%20you%20test%20this%20and%20get%20a%20failure%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bat%20the%20first%20HTTP%20step%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcheck%20you%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Er%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Baudit%20log%20to%20see%20if%20there%20are%20any%20events%20that%20occurred%20within%20the%20last%205%20minutes.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20app%20collects%20all%26nbsp%3BAudit.General%26nbsp%3Bevents%20so%20it%20doesn%E2%80%99t%20need%20to%20be%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Especific%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eevents%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20Logic%20App%20provides%20a%20quick%20and%20simple%20way%26nbsp%3Bto%20start%26nbsp%3Bingesting%20logs%20via%26nbsp%3Bthe%20Office%20365%20Management%26nbsp%3BActivity%20API.%20However%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eit%26nbsp%3Bmay%20be%20more%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eefficient%26nbsp%3Band%20cost%26nbsp%3Beffective%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20use%20an%20Azure%20Function%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20achieve%26nbsp%3Bthe%20same%26nbsp%3Bthing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3Bhas%20already%20produced%20an%20Azure%20Function%26nbsp%3Bto%20do%26nbsp%3Bthis%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edetails%20on%26nbsp%3Bthe%20Function%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20how%26nbsp%3Bto%20use%20it%26nbsp%3Bcan%20be%20found%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FO365%2520Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1348597189%22%20id%3D%22toc-hId-1348597189%22%20id%3D%22toc-hId-1348597189%22%20id%3D%22toc-hId-1348597189%22%20id%3D%22toc-hId-1348597189%22%3E%3CSPAN%3E%3CSTRONG%3EOptio%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3En%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3E2%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThis%20option%20was%20created%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F276417%22%20target%3D%22_blank%22%3E%40Andrea_Piazza%3C%2FA%3E%26nbsp%3B%2C%20Punit%20Acharya%2C%20and%26nbsp%3BMaitreya%20Bodola%20from%20Microsoft%20Services%20and%20utilizes%26nbsp%3Ba%20wide%20range%20of%20Azure%20features%20to%20provide%20a%20robust%20and%20efficient%26nbsp%3Bsolution.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Arch2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189063iF3D44CA5C78D1C7F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Arch2.png%22%20alt%3D%22Option%202%20architecture%20diagram%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EOption%202%20architecture%20diagram%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDetails%20on%20how%20to%20deploy%20this%20option%20can%20be%20found%20on%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FO365%2520DataCSharp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%20site%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20your%20chosen%20connector%20is%20running%20you%20should%20see%20a%20custom%20table%20called%20O365API_CL%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bappear%20in%20your%20Azure%20Sentinel%20workspace%2C%20and%20logs%20start%20to%20appear%20in%20it.%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3ECongratulations%20you%20are%20now%20collecting%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eevents!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1338094085%22%20id%3D%22toc-hId-1338094085%22%20id%3D%22toc-hId-1338094085%22%20id%3D%22toc-hId-1338094085%22%20id%3D%22toc-hId-1338094085%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW210468653%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3EMoni%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Eoring%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW210468653%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Eeams%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW210468653%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3EAs%20with%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Emost%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3BSaaS%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Esolutions%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bidentity%20is%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ea%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bkey%20attack%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Evector%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ewhen%20it%20comes%20to%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Eand%20it%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Eshould%20be%20protected%20and%20monitored.%20As%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Euses%20Azure%20Active%20Directory%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW179886332%20BCX0%22%3EAzure%20AD%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bfor%20authentication%20you%20can%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bcollect%20Azure%20AD%20data%20into%20Azure%20Sentinel%20using%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22ContextualSpellingAndGrammarError%20SCXW179886332%20BCX0%22%3Ebuilt%20in%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bconnector%20and%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Buse%20our%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW179886332%20BCX0%22%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%2FSigninLogs%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW179886332%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Edetections%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW179886332%20BCX0%22%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FHunting%2520Queries%2FSigninLogs%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW179886332%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Ehunting%20queries%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Eto%20monitor%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bfor%20suspicious%20identity%20events%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ewith%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3EAzure%20Sentinel.%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3EBut%20what%20about%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Especific%20threat%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Es%3F%20T%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ehere%20are%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW179886332%20BCX0%22%3Ea%20number%20of%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bscenarios%20that%20an%20attacker%20could%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Battempt%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3Bexploit%20in%20order%20to%20gain%20access%20to%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Eyour%20organizations%20sensitive%20data%20with%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3ETeams%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ethat%20wouldn%E2%80%99t%20appear%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3Ein%20Azure%20AD%20logs%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW179886332%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW179886332%20BCX0%22%3EBelow%20we%20will%20look%20at%20some%20of%20these%2C%20as%20well%20as%20ideas%20of%20how%20to%20hunt%20and%20monitor%20for%20them.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW179886332%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2028655559%22%20id%3D%22toc-hId-2028655559%22%20id%3D%22toc-hId-2028655559%22%20id%3D%22toc-hId-2028655559%22%20id%3D%22toc-hId-2028655559%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW179886332%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3EParsing%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ehe%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3ED%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW75051586%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ea%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW75051586%20BCX0%22%20data-ccp-parastyle%3D%22heading%203%22%3Ea%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW75051586%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBefore%20building%20detections%20or%20hunting%20queries%20on%20the%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%20we%20collected%20we%20ca%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3En%20use%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BKQL%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EF%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunction%20to%20parse%20and%20normalize%20the%20data%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20make%20it%20easier%20to%20use%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20For%20more%20background%20on%20Functions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eplease%20read%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-kql-functions-to-speed-up-analysis-in-azure-sentinel%2Fba-p%2F712381%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethis%20blog%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20the%20case%20of%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%20we%20have%20a%20large%20number%20of%20fields%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bin%20the%20Office%20365%20Management%20API%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthat%20are%20used%20by%20other%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOffice%20365%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eservices%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbut%20not%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bso%20the%20parser%20is%20going%20to%20help%20us%20select%20a%20subset%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfields%20relevant%20to%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20find%20our%20suggested%20parser%20on%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FParsers%2FTeams_parser.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGitHub%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebut%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byou%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcan%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Balso%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bmodify%20this%20parser%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20fit%20your%20needs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20preferences.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3EO365API_CL%0A%7C%20where%20Workload_s%20%3D~%20%22MicrosoftTeams%22%0A%7C%20project%20TimeGenerated%2C%0A%20%20%20%20%20%20%20%20%20%20Workload%3DWorkload_s%2C%0A%20%20%20%20%20%20%20%20%20%20Operation%3DOperation_s%2C%0A%20%20%20%20%20%20%20%20%20%20TeamName%3Dcolumnifexists('TeamName_s'%2C%20%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20UserId%3Dcolumnifexists('UserId_s'%2C%20%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20AddOnName%3Dcolumnifexists('AddOnName_s'%2C%20AddOnGuid_g)%2C%0A%20%20%20%20%20%20%20%20%20%20Members%3Dcolumnifexists('Members_s'%2C%20%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20Settings%3Diif(Operation_s%20contains%20%22Setting%22%2C%20pack(%22Name%22%2C%20columnifexists('Name_s'%2C%20%22%22)%2C%20%22Old%20Value%22%2C%20columnifexists('OldValue_s'%2C%20%22%22)%2C%20%22New%20Value%22%2C%20columnifexists('NewValue_s'%2C%20%22%22))%2C%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20Details%3Dpack(%22Id%22%2C%20columnifexists('Id_g'%2C%20%22%22)%2C%20%20%22OrganizationId%22%2C%20columnifexists('OrganizationId_g'%2C%20%22%22)%2C%20%22UserType%22%2C%20columnifexists('UserType_d'%2C%20%22%22)%2C%20%22UserKey%22%2C%20columnifexists('UserKey_g'%2C%20%22%22)%2C%20%22TeamGuid%22%2C%20columnifexists('TeamGuid_s'%2C%20%22%22))%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3EFor%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3E%26nbsp%3Bthe%20queries%20we%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3Ewill%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3E%26nbsp%3Blook%20at%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3Ein%20the%20following%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3Esections%2C%20we%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3Eare%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW262481137%20BCX0%22%3Egoing%20to%20save%20this%20parser%20with%20an%20alias%20of%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22SpellingError%20SCXW262481137%20BCX0%22%3ETeamsData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3EDetails%20on%20configuring%20and%20using%20a%20Function%20as%20a%20parser%20can%20be%20found%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-kql-functions-to-speed-up-analysis-in-azure-sentinel%2Fba-p%2F712381%22%20target%3D%22_self%22%3Ethis%20blog%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW262481137%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW262481137%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW262481137%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--473962383%22%20id%3D%22toc-hId--473962383%22%20id%3D%22toc-hId--473962383%22%20id%3D%22toc-hId--473962383%22%20id%3D%22toc-hId--473962383%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%3CSPAN%20class%3D%22EOP%20SCXW262481137%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW19368719%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW19368719%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3EHun%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW19368719%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW19368719%20BCX0%22%20data-ccp-parastyle%3D%22heading%202%22%3Eing%20Queries%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW19368719%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX0%20SCXW244636196%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX0%20SCXW244636196%22%3E%3CSPAN%20class%3D%22EOP%20SCXW262481137%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW19368719%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3EThe%20following%20queries%20are%20designed%20to%20help%20you%20find%20suspicious%20activity%20in%20your%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3ETeams%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3Eenvironment%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3E%2C%20and%20whilst%20many%20are%20likely%20to%20return%20legitimate%20activity%20as%20well%20as%20potentially%20malicious%20activity%2C%20they%20can%20be%20useful%20in%20guiding%20your%20hunting.%20If%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3Eafter%20running%20these%20queries%20you%20are%20confident%20with%20the%20results%20you%20could%20consider%20turning%20some%20or%20all%20of%20them%20into%20Azure%20Sentinel%20Analytics%20to%20alert%20on%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3EW%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3Ee%20have%20included%20entity%20mapping%20elements%20at%20the%20end%20of%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3Eeach%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3E%26nbsp%3Bquery%20that%20you%20c%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW12052349%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW12052349%20BCX0%22%3Ean%20use%20if%20you%20choose%20to%20use%20them%20as%20Analytics.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW12052349%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%224%22%20id%3D%22toc-hId-2142633169%22%20id%3D%22toc-hId-2142633169%22%20id%3D%22toc-hId-2142633169%22%20id%3D%22toc-hId-2142633169%22%20id%3D%22toc-hId-2142633169%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EE%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3External%20users%20from%20anomalous%20organizations%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3CI%3E%3C%2FI%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%3CEM%3EMitre%26nbsp%3BATT%26amp%3BCK%26nbsp%3Btechnique%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1136%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1136%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1136%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20potential%26nbsp%3Bthreat%26nbsp%3Bvector%20for%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CI%3ETeams%26nbsp%3B%3C%2FI%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%26nbsp%3Bthe%20ability%26nbsp%3Bto%20add%20external%20contributors%26nbsp%3Bto%20your%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eenvironment%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Whilst%26nbsp%3Bthis%20feature%20provides%20vital%20collaboration%20capabilities%20with%20external%20organizations%20it%26nbsp%3Balso%20presents%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emeans%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bby%20which%20a%20malicious%20actor%20could%20gain%20access.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOrganizations%20will%20often%20collaborate%20closely%20with%20a%20small%20number%20of%20key%20partners%20and%20it%26nbsp%3Bis%20likely%26nbsp%3Bthat%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emany%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eof%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eexternal%20users%20in%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewill%20be%20from%26nbsp%3Bthese%20organizations%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3BTherefore%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwe%20can%20look%20for%20potentially%20suspicious%20external%20users%20by%20looking%20at%26nbsp%3Bexternal%20users%20added%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewho%20come%20from%20organization%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%20we%20have%20not%26nbsp%3Bobserved%20before%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20If%20you%20have%20more%20than%2014%20days%20worth%20of%20Teams%20data%20change%20this%20value%20%0Alet%20data_date%20%3D%2014d%3B%20%0A%2F%2F%20If%20you%20want%20to%20look%20at%20users%20further%20back%20than%20the%20last%20day%20change%20this%20value%20%0Alet%20lookback_data%20%3D%201d%3B%20%0Alet%20known_orgs%20%3D%20(%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(data_date)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberAdded%22%20or%20Operation%20%3D~%20%22TeamsSessionStarted%22%20%0A%2F%2F%20Extract%20the%20correct%20UPN%20and%20parse%20our%20external%20organization%20domain%20%0A%7C%20extend%20UPN%20%3D%20iif(Operation%20%3D%3D%20%22MemberAdded%22%2C%20tostring(parse_json(Members)%5B0%5D.UPN)%2C%20UserId)%20%0A%7C%20extend%20Organization%20%3D%20tostring(split(split(UPN%2C%20%22_%22)%5B1%5D%2C%20%22%23%22)%5B0%5D)%20%0A%7C%20where%20isnotempty(Organization)%20%0A%7C%20summarize%20by%20Organization)%3B%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(lookback_data)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberAdded%22%20%0A%7C%20extend%20UPN%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%0A%7C%20extend%20Organization%20%3D%20tostring(split(split(UPN%2C%20%22_%22)%5B1%5D%2C%20%22%23%22)%5B0%5D)%20%0A%7C%20where%20isnotempty(Organization)%20%0A%7C%20where%20Organization%20!in%20(known_orgs)%20%0A%2F%2F%20Uncomment%20the%20following%20line%20to%20map%20query%20entities%20is%20you%20plan%20to%20use%20this%20as%20a%20detection%20query%20%0A%2F%2F%7C%20extend%20timestamp%20%3D%20TimeGenerated%2C%20AccountCustomEntity%20%3D%20UPN%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%224%22%20id%3D%22toc-hId-335178706%22%20id%3D%22toc-hId-335178706%22%20id%3D%22toc-hId-335178706%22%20id%3D%22toc-hId-335178706%22%20id%3D%22toc-hId-335178706%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EExternal%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Busers%20added%26nbsp%3Bthen%20removed%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3CI%3E%3C%2FI%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMitre%26nbsp%3BATT%26amp%3BCK%26nbsp%3Btechnique%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1136%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1136%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAttackers%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwith%20some%20level%20of%20existing%20access%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bmight%26nbsp%3Balso%20look%26nbsp%3Bto%20add%20an%20external%20account%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%26nbsp%3BTeams%26nbsp%3Bin%20order%26nbsp%3Bto%20access%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bor%20exfiltrate%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bdata%20before%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bremoving%26nbsp%3Bthat%26nbsp%3Buser%26nbsp%3Bto%20hide%26nbsp%3Bthe%20access.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcan%20look%20for%20external%20accounts%26nbsp%3Bthat%26nbsp%3Bare%20added%26nbsp%3Bto%26nbsp%3BTeams%26nbsp%3Bthen%20quickly%20removed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20see%20if%20we%20can%20identify%20such%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebehavior%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20If%20you%20want%20to%20look%20at%20user%20added%20further%20than%207%20days%20ago%20adjust%20this%20value%20%0Alet%20time_ago%20%3D%207d%3B%20%0A%2F%2F%20If%20you%20want%20to%20change%20the%20timeframe%20of%20how%20quickly%20accounts%20need%20to%20be%20added%20and%20removed%20change%20this%20value%20%0Alet%20time_delta%20%3D%201h%3B%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_ago)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberAdded%22%20%0A%7C%20extend%20UPN%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%0A%7C%20project%20TimeAdded%3DTimeGenerated%2C%20Operation%2C%20UPN%2C%20UserWhoAdded%20%3D%20UserId%2C%20TeamName%2C%20TeamGuid%20%3D%20tostring(Details.TeamGuid)%20%0A%7C%20join%20(%20%0ATeamsData%20%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_ago)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberRemoved%22%20%0A%7C%20extend%20UPN%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%0A%7C%20project%20TimeDeleted%3DTimeGenerated%2C%20Operation%2C%20UPN%2C%20UserWhoDeleted%20%3D%20UserId%2C%20TeamName%2C%20TeamGuid%20%3D%20tostring(Details.TeamGuid))%20on%20UPN%2C%20TeamGuid%20%0A%7C%20where%20TimeDeleted%20%26lt%3B%20(TimeAdded%20%2B%20time_delta)%20%0A%7C%20project%20TimeAdded%2C%20TimeDeleted%2C%20UPN%2C%20UserWhoAdded%2C%20UserWhoDeleted%2C%20TeamName%2C%20TeamGuid%20%0A%2F%2F%20Uncomment%20the%20following%20line%20to%20map%20query%20entities%20is%20you%20plan%20to%20use%20this%20as%20a%20detection%20query%20%0A%2F%2F%7C%20extend%20timestamp%20%3D%20TimeAdded%2C%20AccountCustomEntity%20%3D%20UPN%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%224%22%20id%3D%22toc-hId--1472275757%22%20id%3D%22toc-hId--1472275757%22%20id%3D%22toc-hId--1472275757%22%20id%3D%22toc-hId--1472275757%22%20id%3D%22toc-hId--1472275757%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3ENew%20bot%26nbsp%3Bor%20application%20added%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3CI%3E%3C%2FI%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMitre%26nbsp%3BATT%26amp%3BCK%26nbsp%3Btechniques%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1176%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1176%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1119%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1119%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW205985461%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CEM%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeams%3C%2FSPAN%3E%3C%2FEM%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW205985461%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Ehas%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Ehe%20abili%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Ey%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22AdvancedProofingIssue%20SCXW205985461%20BCX0%22%3Eo%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Binclude%20apps%20or%20bo%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Es%20wi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehin%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeam%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eo%20ex%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eend%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehe%20na%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eive%20fea%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eure%20se%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E.%20Whils%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW205985461%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Emany%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehese%20are%20included%20by%20defaul%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehere%20is%20also%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehe%20op%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eion%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eo%20include%20cus%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eom%20bo%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Es%20and%20apps%20in%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeam.%20An%20a%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eacker%20could%20use%20such%20an%20app%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eo%20es%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eablish%20persis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eence%20in%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeams%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Bwi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehou%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Ba%20user%20accoun%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%2C%20or%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eo%20access%20files%20or%20o%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eher%20da%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ea%20shared%20on%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW205985461%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeams%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW205985461%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E.%20We%20can%20hun%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Bfor%20new%20app%20or%20bo%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Baddi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eions%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eha%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Bhave%20no%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3E%26nbsp%3Bbeen%20added%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eo%20any%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3ET%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eeam%20wi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Ehin%20our%20organiza%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW205985461%20BCX0%22%3Eion%20before.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW205985461%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20If%20you%20have%20more%20than%2014%20days%20worth%20of%20Teams%20data%20change%20this%20value%20%0Alet%20data_date%20%3D%2014d%3B%20%0Alet%20historical_bots%20%3D%20(%20%0ATeamsData%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(data_date)%20%0A%7C%20where%20isnotempty(AddOnName)%20%0A%7C%20project%20AddOnName)%3B%20%0ATeamsData%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%20%0A%2F%2F%20Look%20for%20add-ins%20we%20have%20never%20seen%20before%20%0A%7C%20where%20AddOnName%20in%20(historical_bots)%20%0A%2F%2F%20Uncomment%20the%20following%20line%20to%20map%20query%20entities%20is%20you%20plan%20to%20use%20this%20as%20a%20detection%20query%20%0A%2F%2F%7C%20extend%20timestamp%20%3D%20TimeGenerated%2C%20AccountCustomEntity%20%3D%20UserId%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%224%22%20id%3D%22toc-hId-1015237076%22%20id%3D%22toc-hId-1015237076%22%20id%3D%22toc-hId-1015237076%22%20id%3D%22toc-hId-1015237076%22%20id%3D%22toc-hId-1015237076%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EUser%20made%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EO%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3Ewner%20of%20multiple%26nbsp%3BTeams%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3CI%3E%3C%2FI%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMitre%26nbsp%3BATT%26amp%3BCK%26nbsp%3Btechnique%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1078%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1078%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECommonly%20within%20an%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eorganization%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Buser%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwill%20set%26nbsp%3Bup%26nbsp%3BTeams%26nbsp%3Bas%20needed%20for%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bspecific%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bprojects%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%26nbsp%3Btopic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20will%20own%26nbsp%3Bthe%26nbsp%3BTeams%26nbsp%3Bthey%20create.%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3EMost%26nbsp%3Borganizations%20will%20have%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edifferent%26nbsp%3BOwners%20for%20each%26nbsp%3BTeam%2C%20and%20rarely%20will%20one%20user%20be%20an%20Owner%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eof%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bmore%26nbsp%3Bthan%20a%20small%20number%20of%26nbsp%3BTeams.%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3EAn%20attacker%20seeking%26nbsp%3Bto%20elevate%20privileges%20may%20look%26nbsp%3Bto%20make%26nbsp%3Bthemselves%20Owner%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eof%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Ba%20large%20number%20of%26nbsp%3BTeams%2C%20we%20can%20monitor%20for%20a%20user%20being%20made%20an%20Owner%20in%20a%20large%20number%20of%26nbsp%3BTeams.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20Adjust%20this%20value%20to%20change%20how%20many%20teams%20a%20user%20is%20made%20owner%20of%20before%20detecting%20%0Alet%20max_owner_count%20%3D%203%3B%20%0A%2F%2F%20Change%20this%20value%20to%20adjust%20how%20larger%20timeframe%20the%20query%20is%20run%20over.%20%0Alet%20time_window%20%3D%201d%3B%20%0Alet%20high_owner_count%20%3D%20(TeamsData%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_window)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberRoleChanged%22%20%0A%7C%20extend%20Member%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%20%0A%7C%20extend%20NewRole%20%3D%20toint(parse_json(Members)%5B0%5D.Role)%20%20%0A%7C%20where%20NewRole%20%3D%3D%202%20%0A%7C%20summarize%20dcount(TeamName)%20by%20Member%20%0A%7C%20where%20dcount_TeamName%20%26gt%3B%20max_owner_count%20%0A%7C%20project%20Member)%3B%20%0ATeamsData%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_window)%20%0A%7C%20where%20Operation%20%3D~%20%22MemberRoleChanged%22%20%0A%7C%20extend%20Member%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%20%0A%7C%20extend%20NewRole%20%3D%20toint(parse_json(Members)%5B0%5D.Role)%20%20%0A%7C%20where%20NewRole%20%3D%3D%202%20%0A%7C%20where%20Member%20in%20(high_owner_count)%20%0A%7C%20extend%20TeamGuid%20%3D%20tostring(Details.TeamGuid)%20%0A%2F%2F%20Uncomment%20the%20following%20line%20to%20map%20query%20entities%20is%20you%20plan%20to%20use%20this%20as%20a%20detection%20query%20%0A%2F%2F%7C%20extend%20timestamp%20%3D%20TimeGenerated%2C%20AccountCustomEntity%20%3D%20Member%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%224%22%20id%3D%22toc-hId--792217387%22%20id%3D%22toc-hId--792217387%22%20id%3D%22toc-hId--792217387%22%20id%3D%22toc-hId--792217387%22%20id%3D%22toc-hId--792217387%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EMultiple%26nbsp%3BTeams%26nbsp%3Bdeleted%20by%20a%20single%20user%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3CI%3E%3C%2FI%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMitre%26nbsp%3BATT%26amp%3BCK%26nbsp%3Btechnique%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1485%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1485%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1489%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ET1489%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20with%20ownership%20of%20a%26nbsp%3BTeam%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthe%20process%20of%20deleting%20a%26nbsp%3BTeam%20is%20often%20one%20carried%20out%26nbsp%3Bby%20individual%20Owners%20rather%26nbsp%3Bthan%20a%20single%20central%20user.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGiven%26nbsp%3BTeams%26nbsp%3Bare%20often%20used%20for%20critical%20services%20such%20as%20incident%26nbsp%3Bmanagement%26nbsp%3Bit%26nbsp%3Bis%20possible%26nbsp%3Bthat%26nbsp%3Ban%20attacker%20looking%26nbsp%3Bto%20cause%20disruption%20could%20seek%26nbsp%3Bto%20delete%20multiple%26nbsp%3BTeams%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20monitor%20for%20a%20single%20user%20deleting%20multiple%26nbsp%3BTeams%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20detect%26nbsp%3Bsuch%20activity%20and%20identify%26nbsp%3Bthe%20malicious%20user.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%20%2F%2F%20Adjust%20this%20value%20to%20change%20how%20many%20Teams%20should%20be%20deleted%20before%20including%0A%20let%20max_delete%20%3D%203%3B%0A%20%2F%2F%20Adjust%20this%20value%20to%20change%20the%20timewindow%20the%20query%20runs%20over%0A%20let%20time_window%20%3D%201d%3B%0A%20let%20deleting_users%20%3D%20(%0A%20TeamsData%20%0A%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_window)%0A%20%7C%20where%20Operation%20%3D~%20%22TeamDeleted%22%0A%20%7C%20summarize%20count()%20by%20UserId%0A%20%7C%20where%20count_%20%26gt%3B%20max_delete%0A%20%7C%20project%20UserId)%3B%0A%20TeamsData%0A%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_window)%0A%20%7C%20where%20Operation%20%3D~%20%22TeamDeleted%22%0A%20%7C%20where%20UserId%20in%20(deleting_users)%0A%20%7C%20extend%20TeamGuid%20%3D%20tostring(Details.TeamGuid)%0A%20%7C%20project-away%20AddOnName%2C%20Members%2C%20Settings%0A%20%2F%2F%20Uncomment%20the%20following%20line%20to%20map%20query%20entities%20is%20you%20plan%20to%20use%20this%20as%20a%20detection%20query%0A%20%2F%2F%7C%20extend%20timestamp%20%3D%20TimeGenerated%2C%20AccountCustomEntity%20%3D%20UserId%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1566212727%22%20id%3D%22toc-hId-1566212727%22%20id%3D%22toc-hId-1566212727%22%20id%3D%22toc-hId-1566212727%22%20id%3D%22toc-hId-1566212727%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--241241736%22%20id%3D%22toc-hId--241241736%22%20id%3D%22toc-hId--241241736%22%20id%3D%22toc-hId--241241736%22%20id%3D%22toc-hId--241241736%22%3EOther%20Hunting%20Opportunities%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20you%20have%20run%26nbsp%3Bthese%20queries%20you%20can%20e%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Expand%20your%20hunting%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eby%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcombin%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthese%20queries%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwith%20other%20data%20sources%20such%20as%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Active%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDirectory%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%20activity%20on%20other%20Office%20365%20workloads.%20For%20example%20you%20can%20combine%20our%20detection%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDetections%2FSigninLogs%2FFailedLogonToAzurePortal.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esuspicious%20patterns%20of%20Azure%20Active%20Directory%20SigninLogs%20to%20the%20Azure%20Portal%3C%2FA%3E%20and%20look%20for%20users%20appearing%20in%20that%20detection%20being%20made%20an%20owner%20of%20a%20Team%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20timeRange%20%3D%201d%3B%0Alet%20lookBack%20%3D%207d%3B%0Alet%20threshold_Failed%20%3D%205%3B%0Alet%20threshold_FailedwithSingleIP%20%3D%2020%3B%0Alet%20threshold_IPAddressCount%20%3D%202%3B%0Alet%20isGUID%20%3D%20%22%5B0-9a-z%5D%7B8%7D-%5B0-9a-z%5D%7B4%7D-%5B0-9a-z%5D%7B4%7D-%5B0-9a-z%5D%7B4%7D-%5B0-9a-z%5D%7B12%7D%22%3B%0Alet%20azPortalSignins%20%3D%20SigninLogs%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeRange)%0A%2F%2F%20Azure%20Portal%20only%20and%20exclude%20non-failure%20Result%20Types%0A%7C%20where%20AppDisplayName%20has%20%22Azure%20Portal%22%20and%20ResultType%20!in%20(%220%22%2C%20%2250125%22%2C%20%2250140%22)%0A%2F%2F%20Tagging%20identities%20not%20resolved%20to%20friendly%20names%0A%7C%20extend%20Unresolved%20%3D%20iff(Identity%20matches%20regex%20isGUID%2C%20true%2C%20false)%3B%0A%2F%2F%20Lookup%20up%20resolved%20identities%20from%20last%207%20days%0Alet%20identityLookup%20%3D%20SigninLogs%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(lookBack)%0A%7C%20where%20not(Identity%20matches%20regex%20isGUID)%0A%7C%20summarize%20by%20UserId%2C%20lu_UserDisplayName%20%3D%20UserDisplayName%2C%20lu_UserPrincipalName%20%3D%20UserPrincipalName%3B%0A%2F%2F%20Join%20resolved%20names%20to%20unresolved%20list%20from%20portal%20signins%0Alet%20unresolvedNames%20%3D%20azPortalSignins%20%7C%20where%20Unresolved%20%3D%3D%20true%20%7C%20join%20kind%3D%20inner%20(%0A%20%20%20identityLookup%20)%20on%20UserId%0A%7C%20extend%20UserDisplayName%20%3D%20lu_UserDisplayName%2C%20UserPrincipalName%20%3D%20lu_UserPrincipalName%0A%7C%20project-away%20lu_UserDisplayName%2C%20lu_UserPrincipalName%3B%0A%2F%2F%20Join%20Signins%20that%20had%20resolved%20names%20with%20list%20of%20unresolved%20that%20now%20have%20a%20resolved%20name%0Alet%20u_azPortalSignins%20%3D%20azPortalSignins%20%7C%20where%20Unresolved%20%3D%3D%20false%20%7C%20union%20unresolvedNames%3B%0Alet%20failed_signins%20%3D%20(u_azPortalSignins%0A%7C%20extend%20Status%20%3D%20strcat(ResultType%2C%20%22%3A%20%22%2C%20ResultDescription)%2C%20OS%20%3D%20tostring(DeviceDetail.operatingSystem)%2C%20Browser%20%3D%20tostring(DeviceDetail.browser)%0A%7C%20extend%20FullLocation%20%3D%20strcat(Location%2C'%7C'%2C%20LocationDetails.state%2C%20'%7C'%2C%20LocationDetails.city)%0A%7C%20summarize%20TimeGenerated%20%3D%20makelist(TimeGenerated)%2C%20Status%20%3D%20makelist(Status)%2C%20IPAddresses%20%3D%20makelist(IPAddress)%2C%20IPAddressCount%20%3D%20dcount(IPAddress)%2C%20FailedLogonCount%20%3D%20count()%0Aby%20UserPrincipalName%2C%20UserId%2C%20UserDisplayName%2C%20AppDisplayName%2C%20Browser%2C%20OS%2C%20FullLocation%0A%7C%20mvexpand%20TimeGenerated%2C%20IPAddresses%2C%20Status%0A%7C%20extend%20TimeGenerated%20%3D%20todatetime(tostring(TimeGenerated))%2C%20IPAddress%20%3D%20tostring(IPAddresses)%2C%20Status%20%3D%20tostring(Status)%0A%7C%20project-away%20IPAddresses%0A%7C%20summarize%20StartTime%20%3D%20min(TimeGenerated)%2C%20EndTime%20%3D%20max(TimeGenerated)%20by%20UserPrincipalName%2C%20UserId%2C%20UserDisplayName%2C%20Status%2C%20FailedLogonCount%2C%20IPAddress%2C%20IPAddressCount%2C%20AppDisplayName%2C%20Browser%2C%20OS%2C%20FullLocation%0A%7C%20where%20(IPAddressCount%20%26gt%3B%3D%20threshold_IPAddressCount%20and%20FailedLogonCount%20%26gt%3B%3D%20threshold_Failed)%20or%20FailedLogonCount%20%26gt%3B%3D%20threshold_FailedwithSingleIP%0A%7C%20project%20UserPrincipalName)%3B%0ATeamsData%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(time_window)%0A%7C%20where%20Operation%20%3D~%20%22MemberRoleChanged%22%0A%7C%20extend%20Member%20%3D%20tostring(parse_json(Members)%5B0%5D.UPN)%20%0A%7C%20extend%20NewRole%20%3D%20toint(parse_json(Members)%5B0%5D.Role)%20%0A%7C%20where%20NewRole%20%3D%3D%202%0A%7C%20where%20Member%20in%20(failed_signins)%0A%7C%20extend%20TeamGuid%20%3D%20tostring(Details.TeamGuid)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%20you%20can%20make%20the%20SigninLogs%20detections%20specific%20to%20Teams%20by%20adding%20a%20filter%20for%20only%20Teams%20based%20sign-ins%20with%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%7C%20where%20AppDisplayName%20startswith%20%22Microsoft%20Teams%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%20this%20is%20our%26nbsp%3B%3CSPAN%3ESuccessful%20logon%20from%20IP%20and%20failure%20from%20a%20different%20IP%20query%20scoped%20to%20only%20%3CEM%3ETeams%3C%2FEM%3E%20sign-ins%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20timeFrame%20%3D%201d%3B%0Alet%20logonDiff%20%3D%2010m%3B%0ASigninLogs%20%0A%20%20%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeFrame)%20%0A%20%20%7C%20where%20ResultType%20%3D%3D%20%220%22%20%0A%20%20%7C%20where%20AppDisplayName%20startswith%20%22Microsoft%20Teams%22%0A%20%20%7C%20project%20SuccessLogonTime%20%3D%20TimeGenerated%2C%20UserPrincipalName%2C%20SuccessIPAddress%20%3D%20IPAddress%2C%20AppDisplayName%2C%20SuccessIPBlock%20%3D%20strcat(split(IPAddress%2C%20%22.%22)%5B0%5D%2C%20%22.%22%2C%20split(IPAddress%2C%20%22.%22)%5B1%5D)%0A%20%20%7C%20join%20kind%3D%20inner%20(%0A%20%20%20%20%20%20SigninLogs%20%0A%20%20%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeFrame)%20%0A%20%20%20%20%20%20%7C%20where%20ResultType%20!in%20(%220%22%2C%20%2250140%22)%20%0A%20%20%20%20%20%20%7C%20where%20ResultDescription%20!~%20%22Other%22%20%20%0A%20%20%20%20%20%20%7C%20where%20AppDisplayName%20startswith%20%22Microsoft%20Teams%22%0A%20%20%20%20%20%20%7C%20project%20FailedLogonTime%20%3D%20TimeGenerated%2C%20UserPrincipalName%2C%20FailedIPAddress%20%3D%20IPAddress%2C%20AppDisplayName%2C%20ResultType%2C%20ResultDescription%0A%20%20)%20on%20UserPrincipalName%2C%20AppDisplayName%20%0A%20%20%7C%20where%20SuccessLogonTime%20%26lt%3B%20FailedLogonTime%20and%20FailedLogonTime%20-%20SuccessLogonTime%20%26lt%3B%3D%20logonDiff%20and%20FailedIPAddress%20!startswith%20SuccessIPBlock%0A%20%20%7C%20summarize%20FailedLogonTime%20%3D%20max(FailedLogonTime)%2C%20SuccessLogonTime%20%3D%20max(SuccessLogonTime)%20by%20UserPrincipalName%2C%20SuccessIPAddress%2C%20AppDisplayName%2C%20FailedIPAddress%2C%20ResultType%2C%20ResultDescription%20%0A%20%20%7C%20extend%20timestamp%20%3D%20SuccessLogonTime%2C%20AccountCustomEntity%20%3D%20UserPrincipalName%2C%20IPCustomEntity%20%3D%20SuccessIPAddress%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETh%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%20%3CEM%3ETeams%3C%2FEM%3E%26nbsp%3Bhunting%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Equeries%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bdetailed%20in%20this%20blog%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bhave%20been%20shared%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20Azure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FHunting%2520Queries%2FTeamsLogs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGitHub%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3Ealong%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FParsers%2FTeams_parser.txt%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eparser%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-O365Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELogic%20App%3C%2FA%3E.%20W%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%20will%20be%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcontinuing%20to%20develop%20detections%20and%20hunting%20queries%20for%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eo%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ever%20time%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bso%20make%20sure%20you%20keep%20an%20eye%20on%20GitHub%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20always%20if%20you%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehave%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byour%20own%20ideas%20for%20queries%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%20detections%20please%20feel%20free%20to%20contribute%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fwiki%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20community.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1265761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERecent%20events%20have%20forced%20many%20organizations%20(including%20Microsoft)%20to%20move%20to%20a%20work%20from%20home%20model%20for%20their%20users.%20In%20order%20to%20ensure%20their%26nbsp%3Busers%26nbsp%3Bremain%20connected%20and%20productive%20they%20are%20turning%20to%20productivity%20tools%20such%20as%20Microsoft%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20host%20meetings%2C%20allow%26nbsp%3Bteams%26nbsp%3Bto%20collaborate%2C%20and%20to%20help%20colleagues%20keep%20in%20touch.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMoving%20to%2C%20or%20increasing%20usage%20of%2C%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emeans%20that%20the%20service%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bshould%20be%20more%20of%20a%20focus%20for%20defenders%20than%20ever%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bdue%20to%20its%20critical%20role%20in%20communications%20and%20data%20sharing.%20I%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3En%20this%26nbsp%3Bblog%26nbsp%3Bwe%20are%20going%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efocus%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehow%20we%20can%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecollect%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eactivity%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elogs%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewith%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%2C%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estart%20hunting%20for%20suspicious%20activity%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bin%20that%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETeams%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1265761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUse%20Cases%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2039868%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2039868%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20on%20Github%20can%20we%20find%20the%20update%20queries%20to%20extract%20the%20data%20from%20the%20OfficeActivityLogs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2042805%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20your%20Teams%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2042805%22%20slang%3D%22en-US%22%3E%3CP%3EI%20must%20be%20missing%20something...%20I%20can't%20find%20the%20KQL%20query%20to%20create%20the%20O365API_CL%20table%20when%20I'm%20not%20using%20the%20Function%20but%20rather%20the%20native%20O365%20connector%20with%20the%20Teams%20auditing%20enabled%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 31 2020 06:00 PM
Updated by: