- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Detect when multiple Microsoft Teams are deleted. Threat actors may want to cause disruptions in work and jeopardize relevant conversation data by deleting multiple teams.
Monitor Microsoft Teams audit logs to look for events with an @evt.name
value of TeamDeleted
that are using the UserType
value to align various levels of severity for different user types such as admin users, service principals, guest or anonymous user and so on. This activity typically should be done by an internal Admin, however, if it’s observed from an external user this might indicate a higher fidelity of malicious activity.
According to Microsoft, the following values indicate the user types surfaced within this detection:
0
- A regular user without admin permissions.2
- An administrator in your M365 organization.6
- A service principal.10
- A guest or anonymous user.{{@usr.email}}
with {{@UserType}}
intended to delete the following Teams {{@TeamName}}
.{{@usr.email}}
didn’t intend to delete the observed Teams{{@usr.email}}
using the Cloud SIEM - User Investigation dashboard.