- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Detect when a user is made owner of multiple Microsoft Teams. This could indicate an adversary or insider threat attempting to escalate the privileges of the assigned user with regard to various teams chats, as most users tend to own few teams curated to specific topics.
Monitor Microsoft Teams audit logs to look for events with an @evt.name
value of MemberRoleChanged
and a @Members.Role
value of 2
indicating the change to an Owner role. Generally, most users will own a few teams related to specific topics that correlate with that job role. However, if this activity is observed from an external user or a user whose job function does not correlate with the assigned team, this might be an indicator of malicious activity.
{{@usr.email}}
intended to make the assigned user {{@Member.UPN}}
the owner of the teams within the{{TeamName}}
attribute.{{@usr.email}}
didn’t intend to assign the owner privileges to {{@Member.UPN}}
:{{@usr.email}}
using the Cloud SIEM - User Investigation dashboard.{{@network.client.ip}}
using the Cloud SIEM - IP Investigation dashboard.{{@Member.UPN}}
after they were assigned the owner privileges.