Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.
Rule type: query
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
- Microsoft 365
- Continuous Monitoring
- Configuration Audit
Rule license: Elastic License v2
## Config The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:"Set-CsTeamsClientConfiguration" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success
Framework: MITRE ATT&CKTM