TEAMS_ExternalUserAddedRemovedInTeams_HuntVersion.yml

id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
name: External user added and removed in a short timeframe - Hunt Version
description: |
  'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Teams)
tactics:
  - Persistence
relevantTechniques:
  - T1136
query: |
  // If you want to look at user added further than 7 days ago adjust this value
  // If you want to change the timeframe of how quickly accounts need to be added and removed change this value
  let time_delta = 1h;
  OfficeActivity
  | where OfficeWorkload =~ "MicrosoftTeams" 
  | where Operation =~ "MemberAdded"
  | extend UPN = tostring(parse_json(Members)[0].UPN)
  | where UPN contains ("#EXT#")
  | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName, TeamGuid
  | join (
  OfficeActivity
  | where OfficeWorkload =~ "MicrosoftTeams" 
  | where Operation =~ "MemberRemoved"
  | extend UPN = tostring(parse_json(Members)[0].UPN)
  | where UPN contains ("#EXT#")
  | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName, TeamGuid) on UPN, TeamGuid
  | where TimeDeleted < (TimeAdded + time_delta)
  | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid
  | extend timestamp = TimeAdded, AccountCustomEntity = UPN
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity