Multiple Microsoft Teams deleted

microsoft-365

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when multiple Microsoft Teams are deleted. Threat actors may want to cause disruptions in work and jeopardize relevant conversation data by deleting multiple teams.

Strategy

Monitor Microsoft Teams audit logs to look for events with an @evt.name value of TeamDeleted that are using the UserType value to align various levels of severity for different user types such as admin users, service principals, guest or anonymous user and so on. This activity typically should be done by an internal Admin, however, if it’s observed from an external user this might indicate a higher fidelity of malicious activity.

According to Microsoft, the following values indicate the user types surfaced within this detection:

  • 0 - A regular user without admin permissions.
  • 2 - An administrator in your M365 organization.
  • 6 - A service principal.
  • 10 - A guest or anonymous user.

Triage and response

  1. Determine if the user {{@usr.email}} with {{@UserType}} intended to delete the following Teams {{@TeamName}}.
  2. If {{@usr.email}} didn’t intend to delete the observed Teams
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.