sigma-rules/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml

[metadata]
creation_date = "2020/11/30"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
communicate with other users that are outside their organization. An adversary may enable external access or add an
allowed domain to exfiltrate data or maintain persistence in an environment.
"""
false_positives = [
    """
    Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
    expected. Exceptions can be added to this rule to filter expected behavior.
    """,
]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Teams External Access Enabled"
note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
risk_score = 47
rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
severity = "medium"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"