Multiple Microsoft Teams deleted
Goal
Detect when multiple Microsoft Teams are deleted. Threat actors may want to cause disruptions in work and jeopardize relevant conversation data by deleting multiple teams.
Strategy
Monitor Microsoft Teams audit logs to look for events with an @evt.name
value of TeamDeleted
that are using the UserType
value to align various levels of severity for different user types such as admin users, service principals, guest or anonymous user and so on. This activity typically should be done by an internal Admin, however, if it’s observed from an external user this might indicate a higher fidelity of malicious activity.
According to Microsoft, the following values indicate the user types surfaced within this detection:
0
- A regular user without admin permissions.2
- An administrator in your M365 organization.6
- A service principal.10
- A guest or anonymous user.
Triage and response
- Determine if the user
{{@usr.email}}
with {{@UserType}}
intended to delete the following Teams {{@TeamName}}
. - If
{{@usr.email}}
didn’t intend to delete the observed Teams- Investigate other activities performed by the user
{{@usr.email}}
using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.