Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Analytics Rule - Anomalous login followed by Teams action #11450

Open
ganeshtembare opened this issue Nov 19, 2024 · 29 comments · Fixed by #11572
Open

Analytics Rule - Anomalous login followed by Teams action #11450

ganeshtembare opened this issue Nov 19, 2024 · 29 comments · Fixed by #11572
Assignees

Comments

@ganeshtembare
Copy link

Dear Team,

We are currently facing an issue with the analytic rule “Anomalous Login” identified in the Teams, and we require assistance in understanding the root cause and behavior of this alert.

When we connected with Microsoft regarding this matter, they were unable to provide precise guidance on tracking the necessary details. Specifically, in the logs, we can only see the activity related to a member being added. However, we are not able to identify:

• The user who initiated the action.
• The user or group to which a member was added.
• The exact activity or process causing the alert.

Microsoft has recommended raising this request with the community for further insights. We would like your assistance in understanding the following:

  1. Why this alert is triggered.
  2. The detailed process and logs associated with this alert.
  3. Any additional context or configurations we might need to ensure accurate tracking and resolution.

Your support on this matter would be greatly appreciated. Please let us know if any additional details are required from our side to aid the investigation.

Looking forward to your guidance.

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@ganeshtembare
Copy link
Author

Hi @v-sudkharat , Do we have any update on the issue we have raised. Waiting for your response. Thank you in Advance !!

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , What is the exact error message or alert details?

@ganeshtembare
Copy link
Author

Hi @v-visodadasi

We are experiencing the issue an issue with the "anomalous login" alert in the team action. Normally, when such alert occur and a user is added to a team group, the audit log provide the complete information, including details on which user added, and by whom.

However, with this alert, when we examine the event timeline the user's office activity, we only see that members were added, but the audit logs lack the details such as the group where the user was added, the identity of the user added and who added them.

The user has confirmed that they did not add anyone directly; instead, they accepted a Teams chat request from an external source.
For Example - When conversation starts with an external account, the system prompts acceptance at the beginning.

This is was occurred in this case, but we need clarification on who initiated the chat request and who accepted it. Also, is it possible to schedule a call so that we can have better understanding.

@ganeshtembare
Copy link
Author

Hi @everyone

This is pending since last week, can you please provide your valuable input on this. we need to provide response to our client as well incident in open state since last week.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi @v-sudkharat

I hope this message finds you well. We are currently awaiting your valuable feedback on the pending incident. Your insights are crucial for us to proceed further.

Could you please provide your input at your earliest convenience?

Thank you for your attention to this matter.

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , We are working on this issue and get back to you with some updates. Thanks!

@ganeshtembare
Copy link
Author

Hi @v-visodadasi Thank you for the response, will wait hear back from you. Thank you in advance !!

@ganeshtembare
Copy link
Author

Hi @v-visodadasi This is very urgent for us, please provide update ASAP. Thank you for understanding our concern.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi @v-sudkharatc, Did you guys have any update on this?

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , Apologize for not updating you as soon as possible on this incident. Please know that we are actively working on this and we will update you as soon as possible.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi Thank you for the ackowneledgment, can you please give me the ETA for this. So accordignly I will infom to client.

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , just wanted to update you that I've connected with Shainw and Ashwin who had previously worked on this solution. Ashwin asked for two days to provide an update. Thanks!

@ganeshtembare
Copy link
Author

Hi @v-visodadasi Thank you for the update, but we are requesting you to please check this on high priority. It's pending since long time.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi Hope you something to share with us today.

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare , We are working with respective team, we will update you soon.

@ChanduMadhala
Copy link

HI @v-visodadasi as mentioned could you share the latest update our team is holding this alert from last 20days please prortize this.

@v-visodadasi
Copy link
Contributor

Hi @ChanduMadhala , I Apologize for not updating you as soon as possible on this incident. We are actively Working on this issue and we are also waiting for Aswin's update on this issue. We will update you soon.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi Thank you for update, but please push from your end to check this on priority. You know it's pending since long so time, so request you to please close this ASAP. It's already escalated intenally.

@ChanduMadhala
Copy link

Hi @v-sudkharat @v-shukore @v-visodadasi

It has been over two weeks since we raised this issue, and despite follow-ups, we haven’t received a proper resolution yet. We understand these things can take time, but the repeated delays are leading to internal escalations on our side, and the ticket is still on hold.
We request you to kindly prioritize this issue and provide a concrete update at the earliest. If possible, it would be helpful to schedule a call to discuss this further and expedite the resolution process.

Looking forward to your response.

@v-visodadasi
Copy link
Contributor

Hi @ganeshtembare @ChanduMadhala , I apologize for the delays. We are actively working on the issue. I'll ensure that I update you by monday at the latest.

Thank you for your patience and understanding.

@ChanduMadhala
Copy link

Hi team @v-sudkharat @v-shukore @v-visodadasi
Please escalate a concern regarding the unresolved issue that has been ongoing for over three weeks. Despite consistent updates stating that the team is “actively working on it,” we have not received a concrete resolution or detailed explanation.

This delay is causing significant challenges, including internal ticket backlogs and business aging.

The current updates do not sufficiently address the severity of the issue,

provide a detailed update or resolution as soon as possible.

Your prompt response would be greatly appreciated.

@ashwin-patil
Copy link
Member

ashwin-patil commented Dec 10, 2024

Hi @ChanduMadhala Apologies for the delay. Given the holidays and end of year planning this issue was handled on lesser priority. Me and my team have authored multiple detections including this so i can provide answers to your questions.

I have gone through previous notes, and concerns raised by you about lack of details in audit logs especially related to member added.

The purpose of the detection is first identify suspicious logon to teams application activity based on IP usage patterns by an user and then correlate to find specific team actions such as "TeamsAdminAction", "MemberAdded", "MemberRemoved", "MemberRoleChanged", "AppInstalled", "BotAddedToTeam" which are typically worth investigating.

Now, speaking of MemberAdded events, this is typically triggered when A team owner adds members to a team, channel, or group chat. Although, note for this event suggests , this event is included in all chat conversations between external Teams users managed by an organization and external Teams users not managed by an organization.

Reference https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-teams-activities

Recommendations:

  • Analyze the outputs of the first query where it shows suspicious logon to Teams based on IP usage. Based on your environments, you may have to filter either certain IP addresses or users to reduce the noise. If this output is scoped for a very last list of users then you will certainly needs tuning or adjust threshold (current-95, can be increased to 98/99) further to limit the scope of users.

//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better. //The minimum number of countries that the account has been accessed from [default: 2] let minimumCountries = 2; //The delta (%) between the largest in-use IP and the smallest [default: 95] let deltaThreshold = 95; //The maximum (%) threshold that the country appears in login data [default: 10] let countryPrevalenceThreshold = 10; //The time to project forward after the last login activity [default: 60min] let projectedEndTime = 60m; let queryfrequency = 1d; let queryperiod = 14d; let aadFunc = (tableName: string) { // Get successful signins to Teams let signinData = table(tableName) | where TimeGenerated > ago(queryperiod) | where AppDisplayName has "Teams" and ConditionalAccessStatus =~ "success" | extend Country = tostring(todynamic(LocationDetails)['countryOrRegion']) | where isnotempty(Country) and isnotempty(IPAddress); // Calculate prevalence of countries let countryPrevalence = signinData | summarize CountCountrySignin = count() by Country | extend TotalSignin = toscalar(signinData | summarize count()) | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100; // Count signins by user and IP address let userIpSignin = signinData | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName; // Calculate delta between the IP addresses with the most and minimum activity by user let userIpDelta = userIpSignin | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100; // Collect Team operations the user account has performed within a time range of the suspicious signins OfficeActivity | where TimeGenerated > ago(queryfrequency) | where Operation in~ ("TeamsAdminAction", "MemberAdded", "MemberRemoved", "MemberRoleChanged", "AppInstalled", "BotAddedToTeam") | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation | join kind = inner( userIpDelta // Check users with activity from distinct countries | where DistinctCountries >= minimumCountries // Check users with high IP delta | where UserIPDelta >= deltaThreshold // Add information about signins and countries | join kind = leftouter userIpSignin on UserPrincipalName | join kind = leftouter countryPrevalence on Country // Check activity that comes from nonprevalent countries | where CountryPrevalence < countryPrevalenceThreshold | project UserPrincipalName, SuspiciousIP = IPAddress, UserIPDelta, SuspiciousSigninCountry = Country, SuspiciousCountryPrevalence = CountryPrevalence, EventTimes = ListSigninTimeGenerated

  • After filtering the known benign users, I have also looked at sample audit logs of MemberAdded events, where CommunicationType field shows if it is OneOnOne or GroupChat or Teams. You can consider filtering to only specific operations or only tailored to CommunicationType - Teams.
  • You can also focus on less noisy and high fidelity operations in your environment such as MemberRoleChanged, AppInstalled, or other sensitive operations such as delete operations, message with URL Links etc.

I would be happy to chat on the separate call if there are any follow-up questions based on the noise or output you are seeing for faster resolution of this issue.
I am not sure if there is a way to share email Id but if you have open Azure support case, you can mention to reach out to me (Ashwin Patil) , alternatively my LinkedIn is in my Github profile, so you can drop a message to me and i will share email Id for further conversation.

Let me know accordingly.

@ChanduMadhala
Copy link

Hi @ashwin-patil

Thank you so much for your detailed explanation and for clarifying the detection process. We’ve understood the concerns you addressed, but we’re facing a persistent challenge here.

Even though we aim to incorporate multiple rules—such as identifying who added a member, the exact activity performed, who initiated the communication, and other such details—we’re constrained by the limited information available in Microsoft logs. As you pointed out, many logs seem to be filtered out, and the details we need, such as the initiator of a communication, are not readily available. Currently, we can only access logs showing which member has accepted a chat.

We would like to know:
1. Are there additional activity logs or tracking mechanisms available that can provide a more detailed view of Teams activity?
2. Specifically, is it possible to correlate the chat thread ID we’re receiving with other logs or applications to track and analyze communication threads in Teams?

If you have any recommendations or alternate approaches to improve tracking and visibility into Teams activity, it would be greatly appreciated.

To streamline the process and ensure we’re aligned, we believe it would be helpful to schedule a call. A dedicated meeting would allow us to:
1. Clarify our understanding and validate whether we’re on the right track.
2. Address the challenges and gaps in logs or data collection more effectively.
3. Collaboratively identify actionable solutions to resolve the issue.

We’ve noticed that communication via chat is causing delays, and a real-time discussion will help us move forward more efficiently. If possible, we’d appreciate scheduling this call in a meeting room where everyone can join and share their thoughts directly.

Let us know your availability, and we’ll be happy to coordinate accordingly.

Looking forward to response.

@ashwin-patil
Copy link
Member

Hi @ChanduMadhala Certainly, let`s chat over a call for further discussion and answer any follow-up questions.

I do not want to put email address here or ask yours here for privacy reasons. If you are working with any Microsoft person, you can ask to reach out to me internally or drop me a msg from LinkedIn contacts from my GitHub Profile to receive contact details to schedule a time. I am in PST time zone.

@ganeshtembare
Copy link
Author

Hi @ashwin-patil I have sent connection request on linkdin, so pls provide your details and availability for today so will schedule call to discuss further.

@v-visodadasi
Copy link
Contributor

Hi @ashwin-patil , I appreciate your willingness to help resolve the issue. To facilitate conversation between you and @ChanduMadhala , would you be able to share your email id for me? I'll ensure it's kept confidential and used only to arrange call.

@ganeshtembare
Copy link
Author

Hi @v-visodadasi As suggested by Ashwin I have pinged him on Linkdin & he shared his email ID with us. I will schedule meeting as per our (Ashwin & Us) suitable time.

@ashwin-patil
Copy link
Member

Hey @ganeshtembare , I met with the team today morning and here is summary and future action items.

  • As i suspected, it seems the initial logic to find suspicious logon activity to Teams is noisy in your environment. We tried changing the threshold but best path i suggested is to filter it based on Location. The results we analyzed from couple of sample incidents were not at all suspicious, they can be rare successful logon with conditional access passed from known benign users. Added action items for adding allowlist.
  • We also looked at the Team activity events, MemberAdded/Removal are most noisy. We also validated the events do contain information about which member added/removed from whom. I also showed the field CommunicationType, almost all events were related to GroupChat/OneonOne so adding that filtering will further reduce noise.

Action Items - MSFT/Ashwin
I will link the issue while raising the PR with query and description update so you will see an update to this issue.

  • Update the detection description to recommend deny list based on location or IP ranges (location is preferred). I will also add filtering based on location in KQL.
  • Update Teams query logic to filter out GroupChat, OneonOne and only trigger for Teams member added/removed.

Action Items - Customer

  • In the meantime, the update is pushed, analyze known location from where Teams Logon is observed and filter out those to reduce alert noise.
  • Filter out , CommunicationType in ("GroupChat", "OneonOne") to further reduce the noise.
  • Update the detection, when query is pushed. It may not be available right away and may take several days to be available in Content Hub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants