persistence_microsoft_365_teams_external_access_enabled.toml

[metadata]
creation_date = "2020/11/30"
integration = ["o365"]
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
communicate with other users that are outside their organization. An adversary may enable external access or add an
allowed domain to exfiltrate data or maintain persistence in an environment.
"""
false_positives = [
    """
    Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
    expected. Exceptions can be added to this rule to filter expected behavior.
    """,
]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Teams External Access Enabled"
note = """## Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
risk_score = 47
rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"