The hypothesis is that an adversary is attempting to evade detection by bypassing MDO Teams protections, which could indicate lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may be evading standard detection mechanisms.
KQL Query
//Total number of MDO Teams protection detections daily
let minTime = toscalar(MessageEvents | summarize min(Timestamp));
let maxTime = toscalar(MessageEvents | summarize max(Timestamp));
let baseQuery = MessageEvents
//| where IsOwnedThread==0 and IsExternalThread==1
| where isnotempty(Timestamp);
let totalwiththreat = baseQuery
| where isnotempty(ThreatTypes)
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Threat";
let totalwithphishthreat = baseQuery
| where ThreatTypes has ('Phish')
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Phish Threat";
let totalwithmalwarethreat = baseQuery
| where ThreatTypes has ('Malware')
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Malware Threat";
union totalwiththreat, totalwithphishthreat, totalwithmalwarethreat
| project Count, Details, Timestamp
| render timechart
id: c7896b13-ae4e-4164-a0a4-fbd43ae85dd4
name: Total number of MDO Teams protection detections daily
description: |
This query visulises Total number of MDO Teams protection detections daily
description-detailed: |
This query visulises Total number of MDO Teams protection detections daily
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//Total number of MDO Teams protection detections daily
let minTime = toscalar(MessageEvents | summarize min(Timestamp));
let maxTime = toscalar(MessageEvents | summarize max(Timestamp));
let baseQuery = MessageEvents
//| where IsOwnedThread==0 and IsExternalThread==1
| where isnotempty(Timestamp);
let totalwiththreat = baseQuery
| where isnotempty(ThreatTypes)
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Threat";
let totalwithphishthreat = baseQuery
| where ThreatTypes has ('Phish')
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Phish Threat";
let totalwithmalwarethreat = baseQuery
| where ThreatTypes has ('Malware')
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Total Teams messages with Malware Threat";
union totalwiththreat, totalwithphishthreat, totalwithmalwarethreat
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
Scenario: Daily scheduled backup job using Veeam Backup & Replication triggers multiple MDO Teams protection detections
Filter/Exclusion: Exclude events related to Veeam Backup & Replication by checking the process_name or command_line for “Veeam” or “backup”
Scenario: Microsoft Endpoint Manager (MEM) compliance scan runs daily and generates protection detections
Filter/Exclusion: Filter out events where the process_name is “ComplianceScan.exe” or where the source is “Microsoft Endpoint Manager”
Scenario: System Center Configuration Manager (SCCM) software inventory scan causes temporary protection detections
Filter/Exclusion: Exclude events where the process_name is “CCMExec.exe” or where the event_source is “SCCM”
Scenario: Windows Update Agent performs a system scan and triggers MDO Teams protection alerts
Filter/Exclusion: Filter out events where the process_name is “wuauclt.exe” or where the event_id corresponds to Windows Update activity
Scenario: Microsoft Defender for Endpoint (MDE) scheduled scan runs and generates false positives in MDO Teams protection
Filter/Exclusion: Exclude events where the process_name is “MsDefender.exe” or where the source is “Microsoft Defender for Endpoint”