Teams Suspicious Elevationof Privileges
Query
//Suspicious behaviour related to elevation of Teams privileges
// Adjust this value to change how many teams a user is made owner of before detecting
let max_owner_count = 3;
// Change this value to adjust how larger timeframe the query is run over.
let time_window = 1d;
let high_owner_count = (OfficeActivity
| where TimeGenerated > ago(time_window)
| where Operation =~ "MemberRoleChanged"
| extend Member = tostring(parse_json(Members)[0].UPN)
| extend NewRole = toint(parse_json(Members)[0].Role)
| where NewRole == 2
| summarize dcount(TeamName) by Member
| where dcount_TeamName > max_owner_count
| project Member);
OfficeActivity
| where TimeGenerated > ago(time_window)
| where Operation =~ "MemberRoleChanged"
| extend Member = tostring(parse_json(Members)[0].UPN)
| extend NewRole = toint(parse_json(Members)[0].Role)
| where NewRole == 2
| where Member in (high_owner_count)
| extend TeamGuid = tostring(Details.TeamGuid)
// Uncomment the following line to map query entities is you plan to use this as a detection query
//| extend timestamp = TimeGenerated, AccountCustomEntity = MemberExplanation
This query is looking for suspicious behavior related to the elevation of Teams privileges. It checks for users who have been made owners of a certain number of teams within a specified timeframe. The number of teams and timeframe can be adjusted. The query then looks for any member role changes where the new role is 2 (owner) and the member is in the list of users with a high owner count. It also includes the TeamGuid and can be used as a detection query by uncommenting a line.
Details

Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
DevicesIntuneUser
Operators
letmax_owner_counttime_windowagoOfficeActivitywhereTimeGeneratedOperation=~MemberRoleChangedextendMembertostringparse_jsonMembers[0].UPNNewRoletoint[0].RolesummarizedcountTeamNamebyprojectinDetails.TeamGuiduncommenttimestampAccountCustomEntity