Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0003 ✕ technique: T1671 ✕
Show ATT&CK heatmapA Microsoft Teams application was installed Informational Identity Threat Module 1 variation
A Microsoft Teams application was installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to install this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.Variations
A Microsoft Teams application was installed with special parameters
Low overridden
A Microsoft Teams application was installed. overridden
A Microsoft Teams bot was added to a team Informational Identity Threat Module
A user added a bot to a team in Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams bots to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the bot was created by a certified and trusted entity. Evaluate the permissions requested by the bot to determine if they are excessive or unusual. Determine if it is within the user's role to add bots to teams. Follow further actions done by the account.Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams the application setup policy, which is responsible for application management, was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.Variations
A user changed the Microsoft Teams application setup policy for the first time
Low overridden
Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden
User installed an application in Microsoft Teams via Graph API Informational Identity Threat Module 1 variation
A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Microsoft Graph LogsDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.Variations
User installed an application in Microsoft Teams via Graph API from a first seen ASN
Low overridden
A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it. overridden