I know this has been out for a while now. The Microsoft Teams connector for Azure Sentinel was released back at the end of August 2020. But I still see some organizations, that are using Azure Sentinel but have yet to enable the Teams connector.
There could be a lot of reasons, since the connector is still in preview.
Nevertheless, the connector works fine and I find, that one of the reasons, is that a lot of people, actually think the Teams connector is enabled automatically, since they already run the Office 365 connector.
This is not the case, since the Teams data connector need to be enabled manually on the Office 365 data connector. Let’s go through how to enable it.
How to enable the Teams connector
Log in to you existing Azure Sentinel workspace.
To enable the connector, you will have to go into the Office 365 data connector and in the configuration – open connector page:
You will find which Office 365 workloads are enabled for this connector and here you can enable Teams:
Apply changes and the Teams data will be active with the Office 365 connector.
Since the Teams activities are part of the Office 365 data connector it’s free ingestion, meaning you will not have to pay additional storage consumption for logs from Office 365 and Teams.
What events can I see from Microsoft Teams, in Azure Sentinel
Azure Sentinel connects to the existing Microsoft 365 audit log. There are currently 27 different user and admin activities that are logged for Microsoft Teams, including:
- Added/removed bot to a team
- Added/deleted channel
- Added/removed connector
- Changed channel/organization/team setting
- Added/removed members
- Installed/uninstalled app
- User signed in to Teams
For details and reference, see: Teams activities.
Verify data in Azure Sentinel
It can take up to 20 minutes, before you can see the Teams audit data within Sentinel.
You can verify the connection to Teams within the Office 365 data connector under Data types:
|Before Teams connector was enabled:||After the Teams connector was enabled:|
There is a bit of wait time before the data start to show up in Sentinel, it could take up to 20 min, before you can start to see data in the logs.
After the data wait, try to to a KQL query within Sentinel and you will begin to see logs from Teams:
OfficeActivity | where OfficeWorkload == "MicrosoftTeams" | sort by TimeGenerated desc
The above query is run within Logs in Azure Sentinel.