MS Teams DLP Playbook
Query
// MS Teams DLP Playbook
// https://www.linkedin.com/posts/activity-7196076361977847808-JGST/
// The document (Teams DLP Playbook 2024.pdf) in the blog provides an overview of how enterprise customers can deploy Microsoft Teams-DLP for protecting sensitive information.
// Using Defender Custom Detection, the below KQL allow you to detect real-time DLP rules triggered:
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType contains "DlpRuleMatch"
// The detection of DLP rule matches in Microsoft Teams can be associated with the following MITRE ATT&CK techniques:
// T1070.004 - Indicator Removal on Host: File Deletion: DLP rules often trigger when sensitive data is being moved or deleted to prevent data exfiltration1.
// T1567 - Exfiltration Over Web Service: If the DLP rule is triggered by an attempt to exfiltrate data via Teams, this technique is relevant2.
// T1071.001 - Application Layer Protocol: Web Protocols: Microsoft Teams uses web protocols for communication, and DLP rules can help detect suspicious activities over these protocols3.Explanation
This query is designed to help organizations monitor and protect sensitive information in Microsoft Teams by using Data Loss Prevention (DLP) rules. Here's a simple breakdown:
-
Purpose: The query is part of a playbook that guides enterprise customers on deploying Microsoft Teams DLP to safeguard sensitive data.
-
Functionality: It uses Microsoft Defender's Custom Detection capabilities to identify when DLP rules are triggered in real-time within Microsoft Teams.
-
Query Details:
- It filters events from the
CloudAppEventsdata set. - It specifically looks for events where the application is "Microsoft Teams" and the action type includes "DlpRuleMatch," indicating a DLP rule has been triggered.
- It filters events from the
-
Security Context: The detection of DLP rule matches is linked to specific MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:
- T1070.004: This technique involves the removal of indicators on a host, such as file deletion, which DLP rules can detect when sensitive data is moved or deleted.
- T1567: This involves data exfiltration over web services, relevant if DLP rules are triggered by attempts to send data out via Teams.
- T1071.001: This involves the use of web protocols for communication, where DLP rules help identify suspicious activities over these protocols.
In summary, the query helps detect and respond to potential data security incidents in Microsoft Teams by identifying when DLP rules are activated, thereby helping to prevent unauthorized data access or exfiltration.
