Teams Raw Events Now Available in Defender XDR’s Advanced Hunting

By /

Listen to this Post

Featured Image
Microsoft Defender XDR now supports advanced hunting for Microsoft Teams raw events, enabling security teams to investigate threats and anomalies within Teams communications. The following schema tables are available for preview:

  • MessageEvents: Contains details about messages sent/received within your organization.
  • MessageUrlInfo: Provides information about URLs shared in Teams messages.
  • MessagePostDeliveryEvents: Tracks security events occurring after message delivery.

Example Advanced Hunting Query:

MessagePostDeliveryEvents 
| join MessageEvents on TeamsMessageId 
| join MessageUrlInfo on TeamsMessageId 
| project TimeGenerated, Action, ActionType, Url, SenderEmailAddress, ThreatTypes, ConfidenceLevel, DetectionMethods, ThreadType, ThreadId

🔗 Direct Query Link: https://lnkd.in/dy_RDDSi

You Should Know:

1. Extracting Suspicious URLs from Teams Messages

Use KQL to detect malicious links:

MessageUrlInfo 
| where ThreatTypes != "None" 
| project Url, ThreatTypes, ConfidenceLevel

2. Identifying Phishing Attempts

Check for high-confidence threats:

MessagePostDeliveryEvents 
| where ConfidenceLevel == "High" 
| join MessageEvents on TeamsMessageId 
| summarize Count=count() by SenderEmailAddress

3. Automated Threat Response with PowerShell

Extract Teams logs via Microsoft Graph API:

Connect-MgGraph -Scopes "ThreatAssessment.ReadWrite.All" 
Get-MgSecurityThreatAssessment -Filter "Source eq 'Microsoft Teams'"

4. Linux Command for Log Analysis

Parse Defender logs using `jq`:

cat defender_logs.json | jq '. | select(.ActionType == "UrlClicked")'

5. Windows Event Log Monitoring

Check Teams-related security events:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -like "Teams" }

6. Enhancing Detection with YARA Rules

Scan Teams attachments for malware:

rule Teams_Malware_Detection { 
strings: 
$suspicious = "powershell -exec bypass" 
condition: 
$suspicious 
}

7. SIEM Integration (Splunk Query)

Forward Teams logs to Splunk:

index=defender source="Teams" | stats count by ActionType

What Undercode Say:

Microsoft Defender XDR’s Teams integration is a game-changer for SOC teams, enabling granular analysis of message-based threats. The KQL queries provided can be customized for real-time monitoring, while PowerShell and Linux commands facilitate offline log analysis. For enterprises, combining Defender with SIEM tools like Splunk ensures comprehensive threat visibility.

Expected Output:

  • Malicious URL detection in Teams chats.
  • Phishing attempt alerts with sender details.
  • Automated threat assessment via Graph API.
  • Cross-platform log analysis (Windows/Linux).

Prediction:

As collaboration tools like Teams become attack vectors, expect Defender XDR to introduce more AI-driven anomaly detection, such as behavioral analysis of message patterns and automated remediation workflows.

References:

Reported By: Markolauren Teams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: