Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Messages sent and received within your organization at the time of delivery
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ConfidenceLevel | dynamic | List of confidence levels for each threat type identified |
| DeliveryAction | string | Delivery action of the message: Delivered, Blocked |
| DeliveryLocation | string | Location of the message at the time of delivery |
| DetectionMethods | dynamic | Methods used to detect malware, phishing, or other threats found in the message |
| GroupId | string | Identifier for the team or group that the message was sent to |
| GroupName | string | Name of the team or group that the message was sent to |
| IsExternalThread | bool | Indicates if there are external recipients in the thread (1) or none (0) |
| IsOwnedThread | bool | Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated) |
| LastEditedTime | string | Date and time when the message was last edited |
| MessageFormatSubtype | string | Subtype of message format, for example, HTML |
| MessageFormatType | string | Type of message format; possible values: RichText, Text |
| MessageId | string | Identifier for the message (non-unique) |
| MessageSubject | string | Subject of the message, if it exists |
| MessageVersion | string | Version number of the message |
| ParentMessageId | string | Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId |
| RecipientDetails | dynamic | Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
| ReportId | string | Unique identifier for the event |
| SafetyTip | string | The safety tip that has been added on a message, if any |
| SenderDisplayName | string | Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname |
| SenderEmailAddress | string | Email address of the sender |
| SenderObjectId | string | Unique identifier for the sender's account |
| SenderType | string | Type of user that sent the message, for example, User, Group, Anonymous |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TeamsMessageId | string | Unique identifier for the message, as generated by Microsoft 365 |
| TenantId | string | The Log Analytics workspace ID |
| ThreadId | string | Identifier of the channel or chat thread that the message is part of |
| ThreadSubtype | string | Indicates the channel type, possible values: None, PrivateChannel |
| ThreatTypes | string | Verdict from the filtering stack on whether the message contains malware, phishing, or other threats |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Expanding recipients into separate rows | |
| External malicious Teams messages sent from internal senders | IsExternalThread == "1"IsOwnedThread == "1"ThreatTypes has_any "Phish" |
| Inbound Teams messages by sender domains | IsExternalThread == "1"IsOwnedThread == "1" |
| Malicious Teams messages by URL detection methods | |
| Malicious Teams messages received from external senders | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes has_any "Phish" |
| Possible partner impersonation in external Team messages | IsExternalThread == "1"IsOwnedThread == "0"SenderDisplayName contains "@contoso.com" |
| Rare Domains in External Teams Messages | |
| Suspicious Teams Display Name | IsExternalThread == "1"IsOwnedThread == "0" |
| Teams communication from suspicious external users | SenderDisplayName contains "desk"SenderDisplayName contains "help"SenderDisplayName contains "home"SenderDisplayName contains "it"SenderDisplayName contains "support"SenderDisplayName contains "working" |
| Teams communication to suspicious external users | RecipientDetails contains "desk"RecipientDetails contains "help"RecipientDetails contains "home"RecipientDetails contains "it"RecipientDetails contains "support"RecipientDetails contains "working" |
| Teams messages from a specific sender by ThreadType | |
| Top 10 Attacked user by Phish messages | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes has "Phish" |
| Top 10 External senders sending Teams phishing messsages | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes has "Phish" |
| Top 10 external senders sending Teams messages | IsExternalThread == "1"IsOwnedThread == "0" |
| Top External Sender domains - Malware | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Malware" |
| Top External Sender domains - Phish | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Phish" |
| Top External Sender domains - Spam | IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Spam" |
| Top External malicious Senders | IsExternalThread == "1"IsOwnedThread == "0" |
| Top domains outbound sending Malicious Teams messages inbound | IsExternalThread == "1"IsOwnedThread in "0,1" |
| Total number of MDO Teams protection detections daily |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Hunt for RMM tool execution following Teams messages | |
| Hunt for alerts correlated with Teams messages | |
| Punycode lookalikes |
References by type: 0 connectors, 15 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
IsExternalThread == "1"IsOwnedThread == "0" |
- | 3 | - | - | 3 |
IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes has "Phish" |
- | 2 | - | - | 2 |
SenderDisplayName contains "desk"SenderDisplayName contains "help"SenderDisplayName contains "home"SenderDisplayName contains "it"SenderDisplayName contains "support"SenderDisplayName contains "working" |
- | 1 | - | - | 1 |
RecipientDetails contains "desk"RecipientDetails contains "help"RecipientDetails contains "home"RecipientDetails contains "it"RecipientDetails contains "support"RecipientDetails contains "working" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "1"ThreatTypes has_any "Phish" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "1" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes has_any "Phish" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "0"SenderDisplayName contains "@contoso.com" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread in "0,1" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Malware" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Phish" |
- | 1 | - | - | 1 |
IsExternalThread == "1"IsOwnedThread == "0"ThreatTypes contains "Spam" |
- | 1 | - | - | 1 |
| Total | 0 | 15 | 0 | 0 | 15 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
1 |
- | 13 | - | - | 13 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
0 |
- | 11 | - | - | 11 |
1 |
- | 3 | - | - | 3 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains desk |
- | 1 | - | - | 1 |
contains help |
- | 1 | - | - | 1 |
contains home |
- | 1 | - | - | 1 |
contains it |
- | 1 | - | - | 1 |
contains support |
- | 1 | - | - | 1 |
contains working |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains desk |
- | 1 | - | - | 1 |
contains help |
- | 1 | - | - | 1 |
contains home |
- | 1 | - | - | 1 |
contains it |
- | 1 | - | - | 1 |
contains support |
- | 1 | - | - | 1 |
contains working |
- | 1 | - | - | 1 |
contains @contoso.com |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any Phish |
- | 2 | - | - | 2 |
has Phish |
- | 2 | - | - | 2 |
contains Malware |
- | 1 | - | - | 1 |
contains Phish |
- | 1 | - | - | 1 |
contains Spam |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊