Microsoft Teams Audit Logs

Cloud & SaaSUser ActivityCloud Control PlaneSIEM / Log Aggregator

Location

Microsoft Purview > Audit (filter by MicrosoftTeams workload) or Search-UnifiedAuditLog -RecordType MicrosoftTeams

Description

Teams-specific audit events capturing channel creation/deletion, membership changes, meeting recordings, file sharing in Teams, guest user additions, app installations, and messaging policy changes.

Forensic Value

Teams audit logs reveal collaboration-based attack vectors including unauthorized guest additions, malicious app installations, and data sharing through Teams channels. Guest user additions grant external parties access to internal resources. Teams app installations may introduce malicious bots or connectors. File sharing events in Teams channels supplement SharePoint/OneDrive audit data. Meeting recording access logs show who viewed recorded meetings containing sensitive information.

Tools Required

Microsoft PurviewPowerShell (Search-UnifiedAuditLog)Microsoft Graph APISIEM (Sentinel)

Collection Commands

PowerShell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType MicrosoftTeams -ResultSize 5000 | Export-Csv teams_audit.csv -NoTypeInformation

PowerShell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations MemberAdded,MemberRemoved,AppInstalled,ChannelAdded -RecordType MicrosoftTeams -ResultSize 5000 | Export-Csv teams_membership.csv -NoTypeInformation

Graph API

GET https://graph.microsoft.com/v1.0/teams/{team-id}/channels?$select=displayName,membershipType,createdDateTime

MITRE ATT&CK Techniques

T1213.002T1530T1136.003T1098T1566.001

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical