Query Details

MS Teams DLP Playbook

Query

// MS Teams DLP Playbook
// https://www.linkedin.com/posts/activity-7196076361977847808-JGST/

// The document (Teams DLP Playbook 2024.pdf) in the blog provides an overview of how enterprise customers can deploy Microsoft Teams-DLP for protecting sensitive information.

// Using Defender Custom Detection, the below KQL allow you to detect real-time DLP rules triggered:

CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType contains "DlpRuleMatch"

// The detection of DLP rule matches in Microsoft Teams can be associated with the following MITRE ATT&CK techniques:

// T1070.004 - Indicator Removal on Host: File Deletion: DLP rules often trigger when sensitive data is being moved or deleted to prevent data exfiltration1.
// T1567 - Exfiltration Over Web Service: If the DLP rule is triggered by an attempt to exfiltrate data via Teams, this technique is relevant2.
// T1071.001 - Application Layer Protocol: Web Protocols: Microsoft Teams uses web protocols for communication, and DLP rules can help detect suspicious activities over these protocols3.

Explanation

This query is designed to help organizations monitor and protect sensitive information in Microsoft Teams by using Data Loss Prevention (DLP) rules. Here's a simple breakdown:

  1. Purpose: The query is part of a playbook that guides enterprise customers on deploying Microsoft Teams DLP to safeguard sensitive data.

  2. Functionality: It uses Microsoft Defender's Custom Detection capabilities to identify when DLP rules are triggered in real-time within Microsoft Teams.

  3. Query Details:

    • It filters events from the CloudAppEvents data set.
    • It specifically looks for events where the application is "Microsoft Teams" and the action type includes "DlpRuleMatch," indicating a DLP rule has been triggered.
  4. Security Context: The detection of DLP rule matches is linked to specific MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:

    • T1070.004: This technique involves the removal of indicators on a host, such as file deletion, which DLP rules can detect when sensitive data is moved or deleted.
    • T1567: This involves data exfiltration over web services, relevant if DLP rules are triggered by attempts to send data out via Teams.
    • T1071.001: This involves the use of web protocols for communication, where DLP rules help identify suspicious activities over these protocols.

In summary, the query helps detect and respond to potential data security incidents in Microsoft Teams by identifying when DLP rules are activated, thereby helping to prevent unauthorized data access or exfiltration.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsApplicationActionTypeMicrosoftTeamsDlpRuleMatch

Operators

CloudAppEvents|where==contains

MITRE Techniques

Actions

GitHub