33 строки
2.3 KiB
Plaintext
33 строки
2.3 KiB
Plaintext
// Microsoft Teams Data Parser
|
|
// Last Updated Date: March 26, 2020
|
|
//
|
|
//This parser parses Office 365 Management API Audit Events and extract Teams based events and their various components. It is assumed that Audit logging is enabled in the O365 tenant and that Audit.General events are being collected via the Office 365 Management Activity API.
|
|
// https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference
|
|
//
|
|
// Parser Notes:
|
|
// 1. This parser assumes logs are collected into a custom log table entitled O365API_CL.
|
|
//
|
|
// Usage Instruction :
|
|
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias. To work with pre-built Teams queries this Function should be given the alias of TeamsData.
|
|
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. TeamsData | take 10).
|
|
//
|
|
// References :
|
|
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
|
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
|
|
// Tech Community Blog on Teams data: https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761
|
|
//
|
|
//
|
|
O365API_CL
|
|
| where Workload_s =~ "MicrosoftTeams"
|
|
| project TimeGenerated,
|
|
CreationTime=CreationTime_t,
|
|
Workload=Workload_s,
|
|
Operation=Operation_s,
|
|
TeamName=columnifexists('TeamName_s', ""),
|
|
UserId=columnifexists('UserId_s', ""),
|
|
AddOnName=columnifexists('AddOnName_s', ""),
|
|
AddOnGuid=columnifexists('AddOnGuid_s', ""),
|
|
Members=columnifexists('Members_s', ""),
|
|
Settings=iif(Operation_s contains "Setting", pack("Name", columnifexists('Name_s', ""), "Old Value", columnifexists('OldValue_s', ""), "New Value", columnifexists('NewValue_s', "")),""),
|
|
Details=pack("Id", columnifexists('Id_g', ""), "OrganizationId", columnifexists('OrganizationId_g', ""), "UserType", columnifexists('UserType_d', ""), "UserKey", columnifexists('UserKey_g', ""), "TeamGuid", columnifexists('TeamGuid_s', ""))
|