Blog Post

Microsoft Sentinel Blog
2 MIN READ

What’s new: Microsoft Teams connector in Public Preview

Sarah_Young's avatar
Sarah_Young
Icon for Microsoft rankMicrosoft
Sep 07, 2020

This installment is part of a broader series to keep you up to date with the latest features in Microsoft Sentinel. These installments will be bite-sized to enable you to easily digest the new content.

 

Great news! You can now use an in-built connector to connect Microsoft Teams logs to your Microsoft Sentinel workspace. You may have already been doing this with a custom connector using the Office 365 API but now this functionality is available via an in-built connector in Sentinel.

 

With collaboration software becoming even more critical with the shift in work patterns that has taken place this year, monitoring these systems has become a priority for many organizations. The information that can be ingested using the Microsoft Teams connector includes details of actions such as file downloads, access requests sent, changes to group events, mailbox operations, Teams events (such as chat, team, member, and channel events), as well as the details of the user who performed the actions.

 

Connecting Microsoft Teams logs to Azure Sentinel enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your Office 365 security.

 

 

How to enable Microsoft Teams log ingestion in Microsoft Sentinel

 

  1. From the Azure Sentinel navigation menu, select Data connectors.

 

 

 

 

  1. Select Office 365 from the data connectors gallery, and then select Open Connector Page on the preview pane.

 

  1. On the Office 365 connector page, under Configuration select the tick box with Teams (Preview) and click Apply Changes.

 

And that’s it! You will now have Teams logs from your O365 tenant connected to your Sentinel workspace.

 

 

Get Started Today!

 

Try out the new connector and let us know your feedback using any of the channels listed in the Resources.

 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Microsoft Sentinel Threat Hunters GitHub community and follow the guidance.

 

Updated Nov 03, 2021
Version 13.0
detection
hunting
investigation
microsoft sentinel
security

9 Comments

Sort By
  • Eelco510's avatar
    Eelco510
    Copper Contributor
    Mar 23, 2021

    Hi,

     

    Does the Microsoft Teams connector collect the same data as the procedure outlined in the article below? In other words; is it a replacement for the manual procedure described here: https://docs.microsoft.com/en-us/microsoftteams/teams-sentinel-guide#step-3-use-sentinel-to-monitor-microsoft-teams ?

    Thanks!

  • kakoytovasya's avatar
    kakoytovasya
    Copper Contributor
    Sep 17, 2020

    Hi Sarah, first of all, great article! This was a much awaited functionality, while running the custom connector.

     

    We are trying to monitor Teams admin events, specifically policy changes, but we cannot find them. For example: New-CSTeamsMeetingPolicy. This information is coming through via the custom connector.

     

    Is there a documented list of actions that we can expect in our Log Analytics Workspace with this Teams connector?

     

    Thanks!

  • Sasuke_Ziy's avatar
    Sasuke_Ziy
    Copper Contributor
    Sep 11, 2020

    Will there be new analytic rules added for MS Teams as well?

  • Sarah_Young's avatar
    Sarah_Young
    Icon for Microsoft rankMicrosoft
    Sep 09, 2020

    bart_vermeersch if you are already ingesting AAD sign in and audit logs to a Log Analytics workspace and this is the workspace you have put Sentinel on top of, then they are already available for Sentinel to use and there would be no additional ingestion charges.

     

    Ingesting Teams logs via the O365 connector is free.

  • bart_vermeersch's avatar
    bart_vermeersch
    Iron Contributor
    Sep 09, 2020

    Hello,

     

    Is there a per GB additional charge or any costs associated with using this Office 365 data connector in Azure Sentinel?

     

    In addition, if we already send (and pay for) AAD sign in and AAD audit logs to Azure analytics, will there be an additional costs to connect these to Azure sentinel as well?    

     

    Thanks!