Skype for Business / Teams PowerShell cmdlet events M365-SkypeForBusinessCmdlets
3 operations, identified by Operation in the audit log.
| Operation | Description |
|---|---|
| _catch_all | Catch-all for M365-SkypeForBusinessCmdlets rules matching the RecordType but no specific Operation. |
| Set-CsTeamsClientConfiguration | The Teams client configuration for the organization was changed via the Teams/Skype PowerShell module. |
| Set-CsTenantFederationConfiguration | The Teams/Skype for Business tenant federation configuration was changed, controlling external communication. |
_catch_all: Skype for Business / Teams PowerShell cmdlet events (catch-all)
#Description
Catch-all for M365-SkypeForBusinessCmdlets rules matching the RecordType but no specific Operation.
Fields #
| Name | Description |
|---|---|
RecordType | AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON). |
Operation | The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS). |
Workload | The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS. |
ResultStatus | Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError. |
UserId | UPN of the user who performed the action; system-account and app@sharepoint values also appear. |
UserType | Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal. |
UserKey | Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events). |
ClientIP | IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events. |
ObjectId | For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific. |
OrganizationId | GUID of the tenant's Office 365 organization (constant per tenant). |
Id | Unique identifier (GUID) for the audit record. |
CreationTime | UTC date/time when the audit record was generated. |
Scope | Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only). |
AppAccessContext | Application context for the user or service principal that performed the action. |
References #
- Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
- Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities
Set-CsTeamsClientConfiguration
#Description
The Teams client configuration for the organization was changed via the Teams/Skype PowerShell module.
Fields #
| Name | Description |
|---|---|
RecordType | AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON). |
Operation | The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS). |
Workload | The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS. |
ResultStatus | Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError. |
UserId | UPN of the user who performed the action; system-account and app@sharepoint values also appear. |
UserType | Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal. |
UserKey | Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events). |
ClientIP | IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events. |
ObjectId | For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific. |
OrganizationId | GUID of the tenant's Office 365 organization (constant per tenant). |
Id | Unique identifier (GUID) for the audit record. |
CreationTime | UTC date/time when the audit record was generated. |
Scope | Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only). |
AppAccessContext | Application context for the user or service principal that performed the action. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | in | MicrosoftTeams | 1 rule | elastic |
Provider_Name | in | SkypeForBusiness | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
- Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities
Set-CsTenantFederationConfiguration
#Description
The Teams/Skype for Business tenant federation configuration was changed, controlling external communication.
Fields #
| Name | Description |
|---|---|
RecordType | AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON). |
Operation | The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS). |
Workload | The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS. |
ResultStatus | Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError. |
UserId | UPN of the user who performed the action; system-account and app@sharepoint values also appear. |
UserType | Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal. |
UserKey | Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events). |
ClientIP | IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events. |
ObjectId | For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific. |
OrganizationId | GUID of the tenant's Office 365 organization (constant per tenant). |
Id | Unique identifier (GUID) for the audit record. |
CreationTime | UTC date/time when the audit record was generated. |
Scope | Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only). |
AppAccessContext | Application context for the user or service principal that performed the action. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | in | MicrosoftTeams | 1 rule | elastic |
Provider_Name | in | SkypeForBusiness | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
- Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities