Skip to content

Detection : External User Added to Team and Immediately Uploads File#3556

Merged
shainw merged 5 commits intoAzure:masterfrom
samikroy:patch-14
Dec 30, 2021
Merged

Detection : External User Added to Team and Immediately Uploads File#3556
shainw merged 5 commits intoAzure:masterfrom
samikroy:patch-14

Conversation

@samikroy
Copy link
Copy Markdown
Contributor

@samikroy samikroy commented Nov 26, 2021

Proposed Changes

This detection identifies an external user is added to a Team or Teams chat
and within 1 minute of being added upload a file via the chat.

@samikroy
Detection : External User Added to Team and Immediately Uploads File
d47a2b8 
This detection identifies an external user is added to a Team or Teams chat
 and within 1 minute of being added upload a file via the chat.
@ep3p
Copy link
Copy Markdown
Contributor

ep3p commented Nov 27, 2021

You may want to specify the kind of join to not lose events of the left table.

@samikroy
Copy link
Copy Markdown
Contributor Author

samikroy commented Nov 27, 2021

You may want to specify the kind of join to not lose events of the left table.

Thank you for the review @ep3p .
Have added inner as a join kind to avoid default innerunique picking a random one.
Please let know further.

@aprakash13 aprakash13 self-assigned this Nov 29, 2021
@shainw
Copy link
Copy Markdown
Contributor

shainw commented Nov 30, 2021

Adding @petebryan as he did the Hunting query that this is based on and he may have tested to see if this type of detection was too noisy for a detection - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/UserAddToTeamsAndUploadsFile.yaml.. @petebryan - thoughts?

@samikroy
Copy link
Copy Markdown
Contributor Author

samikroy commented Nov 30, 2021

Adding @petebryan as he did the Hunting query that this is based on and he may have tested to see if this type of detection was too noisy for a detection - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/UserAddToTeamsAndUploadsFile.yaml.. @petebryan - thoughts?

@petebryan - please share your thoughts

@petebryan
Copy link
Copy Markdown
Contributor

petebryan commented Dec 2, 2021

@samikroy so when I first created this we didn't have an official Teams connector publicly available yet so we had limited data to determine FP rate. However in the data did show this was potentially quite noisy. It would be good to re-evaluate to see if that is still the case.

@samikroy
Copy link
Copy Markdown
Contributor Author

samikroy commented Dec 2, 2021

@samikroy so when I first created this we didn't have an official Teams connector publicly available yet so we had limited data to determine FP rate. However in the data did show this was potentially quite noisy. It would be good to re-evaluate to see if that is still the case.

Agree @petebryan , this detection now applies few more filters

External User Added > File Uploaded > File is accessed by many users > External user is removed.
Please have a look and let me know
Thank you.

shainw
shainw previously approved these changes Dec 2, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@shainw shainw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some testing and looks like looking only for #EXT# (external users) and checking for within 1m has very low results. Approving and we will watch if alerts start to flood for some customers.

@shainw shainw added the Detection Detection specialty review needed label Dec 30, 2021
@shainw shainw merged commit bb976ea into Azure:master Dec 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shainw shainw shainw approved these changes

@Amitbergman Amitbergman Awaiting requested review from Amitbergman

@aprakash13 aprakash13 Awaiting requested review from aprakash13

@ashwin-patil ashwin-patil Awaiting requested review from ashwin-patil

@dicolanl dicolanl Awaiting requested review from dicolanl

@ianhelle ianhelle Awaiting requested review from ianhelle

@juliango2100 juliango2100 Awaiting requested review from juliango2100

@laithhisham laithhisham Awaiting requested review from laithhisham

@liatlishams liatlishams Awaiting requested review from liatlishams

@liemilyg liemilyg Awaiting requested review from liemilyg

@lior-tamir lior-tamir Awaiting requested review from lior-tamir

@mgladi mgladi Awaiting requested review from mgladi

@nazang nazang Awaiting requested review from nazang

@NoamLandress NoamLandress Awaiting requested review from NoamLandress

@oshezaf oshezaf Awaiting requested review from oshezaf

@oshvartz oshvartz Awaiting requested review from oshvartz

@petebryan petebryan Awaiting requested review from petebryan

@preetikr preetikr Awaiting requested review from preetikr

@sagamzu sagamzu Awaiting requested review from sagamzu

@sarah-yo sarah-yo Awaiting requested review from sarah-yo

@shschwar shschwar Awaiting requested review from shschwar

@sreedharande sreedharande Awaiting requested review from sreedharande

@timbMSFT timbMSFT Awaiting requested review from timbMSFT

@Yaniv-Shasha Yaniv-Shasha Awaiting requested review from Yaniv-Shasha

@YaronFruchtmann YaronFruchtmann Awaiting requested review from YaronFruchtmann

@YuvalNaor YuvalNaor Awaiting requested review from YuvalNaor

Assignees

@petebryan petebryan

@shainw shainw

Labels

Detection Detection specialty review needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@samikroy @ep3p @shainw @petebryan @aprakash13