An external Microsoft Teams member was added then removed

Goal

Detect when a Teams member is added and then removed within a short amount of time. An insider threat might add an external account to exfiltrate data then quickly remove the user to hide their tracks.

Strategy

Using the THEN operator, monitor Microsoft Teams audit logs to look for events with an @evt.name value of MemberAdded then MemberRemoved, where the Members.UPN has #EXT# within it. The EXT value is used to denote that a user is an external user.

Triage and response

  1. Determine if the user {{@usr.email}} intended to add and remove the external user and if the external user should indeed have been added.
  2. If {{@usr.email}} didn’t intend to add or remove the external user or the external user is not approved:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate the activities that were performed by the external user within the time period in which they were added and removed.
    • Begin your organization’s incident response process and investigate.