What is deployed?
- External user added and removed in short timeframe: This rule flags when external users are added to a Team and then removed within an hour.
- Multiple Teams deleted by a single user: This rule indicates when multiple Teams are deleted within one hour.
- External user from a new organization added to Teams: This query identifies external users that have been added to Teams, where the user's domain has not yet been used.
- Multiple Teams deleted by a single user: This query shows when multiple Teams have been deleted by a single user within a short period of time.
- Bots added to multiple Teams: This query helps identify bots that have been added to multiple Teams in a short period of time.
- User made owner of multiple Teams: This identifies users who have been made owners of multiple Teams.
- Previously unseen bot or application added to Teams: New and possibly unapproved applications or bots added to Teams are identified with this query.
- Files uploaded to Teams and access summary: This query shows files uploaded to SharePoint via a Teams chat and summarizes the users and IP addresses that accessed those files. This allows for the identification of anomalous file sharing patterns.
- User added to Team and immediately uploads file: This identifies users who have been added to a Team or Chat and uploaded a file via Chat within one minute of being added. This could be an indicator of suspicious activity.