EXPLORE
Sign In
← Back to Explore
kqlHunting

Display Teams participation duration of account associated with a suspicious IP address

Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf

Detection Query

//Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
CloudAppEvents
| where ActionType == 'MeetingParticipantDetail'
| extend clientip = tostring(RawEventData.ClientIP)
| extend meeting_id = tostring(RawEventData.MeetingDetailId)
| extend join_time = todatetime(RawEventData.JoinTime)
| extend leave_time = todatetime(RawEventData.LeaveTime)
| extend min_duration = datetime_diff('minute',leave_time,join_time)
| where clientip == 'x.x.x.x' //Replace with suspicious IP
| project AccountDisplayName, meeting_id, join_time,leave_time,min_duration

Data Sources

CloudAppEvents

Tags

office-365
Raw Content
//Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
CloudAppEvents
| where ActionType == 'MeetingParticipantDetail'
| extend clientip = tostring(RawEventData.ClientIP)
| extend meeting_id = tostring(RawEventData.MeetingDetailId)
| extend join_time = todatetime(RawEventData.JoinTime)
| extend leave_time = todatetime(RawEventData.LeaveTime)
| extend min_duration = datetime_diff('minute',leave_time,join_time)
| where clientip == 'x.x.x.x' //Replace with suspicious IP
| project AccountDisplayName, meeting_id, join_time,leave_time,min_duration