Microsoft Teams Audit Logs

m365-azureUser ActivityCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Purview > Audit (filter by MicrosoftTeams workload) or Search-UnifiedAuditLog -RecordType MicrosoftTeams

Description

Teams-specific audit events capturing channel creation/deletion, membership changes, meeting recordings, file sharing in Teams, guest user additions, app installations, and messaging policy changes.

Forensic Value

Teams audit logs reveal collaboration-based attack vectors including unauthorized guest additions, malicious app installations, and data sharing through Teams channels. Guest user additions grant external parties access to internal resources. Teams app installations may introduce malicious bots or connectors. File sharing events in Teams channels supplement SharePoint/OneDrive audit data. Meeting recording access logs show who viewed recorded meetings containing sensitive information.

Tools Required

Microsoft PurviewPowerShell (Search-UnifiedAuditLog)Microsoft Graph APISIEM (Sentinel)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical