security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Deprecation] M365 Teams Guest & External Access Rules (#5721)

Browse Source 
Fixes #5720
This commit is contained in:
Terrance DeJesus
2026-02-18 10:00:24 -05:00
committed by GitHub
parent 5d98a212fc
commit 93d20b1233
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/30"
integration = ["o365"]
maturity = "production"
updated_date = "2025/12/10"
updated_date = "2026/02/11"
[rule]
author = ["Elastic"]
@@ -21,13 +21,13 @@ from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Teams External Access Enabled"
name = "Deprecated - M365 Teams External Access Enabled"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating M365 Teams External Access Enabled
### Investigating Deprecated - M365 Teams External Access Enabled
Microsoft Teams' external access feature allows users to communicate with individuals outside their organization, facilitating collaboration. However, adversaries can exploit this by enabling external access or adding trusted domains to exfiltrate data or maintain persistence. The detection rule monitors audit logs for changes in federation settings, specifically when external access is successfully enabled, indicating potential misuse.
rules/integrations/o365/persistence_teams_guest_access_enabled.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/20"
integration = ["o365"]
maturity = "production"
updated_date = "2025/12/10"
updated_date = "2026/02/11"
[rule]
author = ["Elastic"]
@@ -20,13 +20,13 @@ from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Teams Guest Access Enabled"
name = "Deprecated - M365 Teams Guest Access Enabled"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating M365 Teams Guest Access Enabled
### Investigating Deprecated - M365 Teams Guest Access Enabled
Microsoft Teams allows organizations to collaborate with external users through guest access, facilitating communication and teamwork. However, adversaries can exploit this feature to gain persistent access to sensitive environments by enabling guest access without authorization. The detection rule monitors audit logs for specific configurations that indicate guest access has been enabled, helping identify unauthorized changes and potential security breaches.