Microsoft Teams activity M365-MicrosoftTeams

5 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-MicrosoftTeams rules matching the RecordType but no specific Operation.
MemberAdded	A user was added as a member of a Microsoft Teams team or channel.
MemberRemoved	A user was removed from a Microsoft Teams team or channel.
TeamDeleted	A Microsoft Teams team was deleted.
TeamsTenantSettingChanged	A tenant-level Microsoft Teams configuration setting was changed by an administrator.

_catch_all: Microsoft Teams activity (catch-all)

RecordType: M365-MicrosoftTeams

Description

Catch-all for M365-MicrosoftTeams rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`TeamName`	The name of the team being audited.
`ChannelName`	The name of the channel being audited.
`ChannelType`	The type of channel being audited (Standard / Private).
`Members`	The members added to or removed from a team or channel.
`AddOnName`	Name of the add-on (app/bot/tab) that generated the event.
`Name`	For settings events, the name of the setting that changed.
`OldValue`	For settings events, the previous value of the setting.
`NewValue`	For settings events, the new value of the setting.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

MemberAdded

RecordType: M365-MicrosoftTeams

Description

A user was added as a member of a Microsoft Teams team or channel.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`TeamName`	The name of the team being audited.
`ChannelName`	The name of the channel being audited.
`ChannelType`	The type of channel being audited (Standard / Private).
`Members`	The members added to or removed from a team or channel.
`AddOnName`	Name of the add-on (app/bot/tab) that generated the event.
`Name`	For settings events, the name of the setting that changed.
`OldValue`	For settings events, the previous value of the setting.
`NewValue`	For settings events, the new value of the setting.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

MemberRemoved

RecordType: M365-MicrosoftTeams

Description

A user was removed from a Microsoft Teams team or channel.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`TeamName`	The name of the team being audited.
`ChannelName`	The name of the channel being audited.
`ChannelType`	The type of channel being audited (Standard / Private).
`Members`	The members added to or removed from a team or channel.
`AddOnName`	Name of the add-on (app/bot/tab) that generated the event.
`Name`	For settings events, the name of the setting that changed.
`OldValue`	For settings events, the previous value of the setting.
`NewValue`	For settings events, the new value of the setting.

Detection Rules #

View all rules referencing this event →

YARA-L #

Office 365 Teams member removed source: Detects when a user is removed from a group in Microsoft Teams.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

TeamDeleted

RecordType: M365-MicrosoftTeams

Description

A Microsoft Teams team was deleted.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`TeamName`	The name of the team being audited.
`ChannelName`	The name of the channel being audited.
`ChannelType`	The type of channel being audited (Standard / Private).
`Members`	The members added to or removed from a team or channel.
`AddOnName`	Name of the add-on (app/bot/tab) that generated the event.
`Name`	For settings events, the name of the setting that changed.
`OldValue`	For settings events, the previous value of the setting.
`NewValue`	For settings events, the new value of the setting.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`m365::Workload`	eq	`MicrosoftTeams`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Multiple Teams deleted by a single user source low: This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

TeamsTenantSettingChanged

RecordType: M365-MicrosoftTeams

Description

A tenant-level Microsoft Teams configuration setting was changed by an administrator.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`TeamName`	The name of the team being audited.
`ChannelName`	The name of the channel being audited.
`ChannelType`	The type of channel being audited (Standard / Private).
`Members`	The members added to or removed from a team or channel.
`AddOnName`	Name of the add-on (app/bot/tab) that generated the event.
`Name`	For settings events, the name of the setting that changed.
`OldValue`	For settings events, the previous value of the setting.
`NewValue`	For settings events, the new value of the setting.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Teams Custom Application Interaction Enabled source medium: Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft Teams activity M365-MicrosoftTeams

_catch_all: Microsoft Teams activity (catch-all)

Description

Fields #

References #

MemberAdded

Description

Fields #

References #

MemberRemoved

Description

Fields #

Detection Rules #

YARA-L #

References #

TeamDeleted

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

TeamsTenantSettingChanged

Description

Fields #

Detection Rules #

Elastic #

References #

Keyboard shortcuts

Search operators