-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Analytics Rule - Anomalous login followed by Teams action #11450
Comments
Hi @ganeshtembare , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Hi @v-sudkharat , Do we have any update on the issue we have raised. Waiting for your response. Thank you in Advance !! |
Hi @ganeshtembare , What is the exact error message or alert details? |
We are experiencing the issue an issue with the "anomalous login" alert in the team action. Normally, when such alert occur and a user is added to a team group, the audit log provide the complete information, including details on which user added, and by whom. However, with this alert, when we examine the event timeline the user's office activity, we only see that members were added, but the audit logs lack the details such as the group where the user was added, the identity of the user added and who added them. The user has confirmed that they did not add anyone directly; instead, they accepted a Teams chat request from an external source. This is was occurred in this case, but we need clarification on who initiated the chat request and who accepted it. Also, is it possible to schedule a call so that we can have better understanding. |
Hi @everyone This is pending since last week, can you please provide your valuable input on this. we need to provide response to our client as well incident in open state since last week. |
I hope this message finds you well. We are currently awaiting your valuable feedback on the pending incident. Your insights are crucial for us to proceed further. Could you please provide your input at your earliest convenience? Thank you for your attention to this matter. |
Hi @ganeshtembare , We are working on this issue and get back to you with some updates. Thanks! |
Hi @v-visodadasi Thank you for the response, will wait hear back from you. Thank you in advance !! |
Hi @v-visodadasi This is very urgent for us, please provide update ASAP. Thank you for understanding our concern. |
Hi @v-visodadasi @v-sudkharatc, Did you guys have any update on this? |
Hi @ganeshtembare , Apologize for not updating you as soon as possible on this incident. Please know that we are actively working on this and we will update you as soon as possible. |
Hi @v-visodadasi Thank you for the ackowneledgment, can you please give me the ETA for this. So accordignly I will infom to client. |
Hi @ganeshtembare , just wanted to update you that I've connected with Shainw and Ashwin who had previously worked on this solution. Ashwin asked for two days to provide an update. Thanks! |
Hi @v-visodadasi Thank you for the update, but we are requesting you to please check this on high priority. It's pending since long time. |
Hi @v-visodadasi Hope you something to share with us today. |
Hi @ganeshtembare , We are working with respective team, we will update you soon. |
HI @v-visodadasi as mentioned could you share the latest update our team is holding this alert from last 20days please prortize this. |
Hi @ChanduMadhala , I Apologize for not updating you as soon as possible on this incident. We are actively Working on this issue and we are also waiting for Aswin's update on this issue. We will update you soon. |
Hi @v-visodadasi Thank you for update, but please push from your end to check this on priority. You know it's pending since long so time, so request you to please close this ASAP. It's already escalated intenally. |
Hi @v-sudkharat @v-shukore @v-visodadasi It has been over two weeks since we raised this issue, and despite follow-ups, we haven’t received a proper resolution yet. We understand these things can take time, but the repeated delays are leading to internal escalations on our side, and the ticket is still on hold. Looking forward to your response. |
Hi @ganeshtembare @ChanduMadhala , I apologize for the delays. We are actively working on the issue. I'll ensure that I update you by monday at the latest. Thank you for your patience and understanding. |
Hi team @v-sudkharat @v-shukore @v-visodadasi This delay is causing significant challenges, including internal ticket backlogs and business aging. The current updates do not sufficiently address the severity of the issue, provide a detailed update or resolution as soon as possible. Your prompt response would be greatly appreciated. |
Hi @ChanduMadhala Apologies for the delay. Given the holidays and end of year planning this issue was handled on lesser priority. Me and my team have authored multiple detections including this so i can provide answers to your questions. I have gone through previous notes, and concerns raised by you about lack of details in audit logs especially related to member added. The purpose of the detection is first identify suspicious logon to teams application activity based on IP usage patterns by an user and then correlate to find specific team actions such as Now, speaking of MemberAdded events, this is typically triggered when A team owner adds members to a team, channel, or group chat. Although, note for this event suggests , this event is included in all chat conversations between external Teams users managed by an organization and external Teams users not managed by an organization. Reference https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-teams-activities Recommendations:
I would be happy to chat on the separate call if there are any follow-up questions based on the noise or output you are seeing for faster resolution of this issue. Let me know accordingly. |
Thank you so much for your detailed explanation and for clarifying the detection process. We’ve understood the concerns you addressed, but we’re facing a persistent challenge here. Even though we aim to incorporate multiple rules—such as identifying who added a member, the exact activity performed, who initiated the communication, and other such details—we’re constrained by the limited information available in Microsoft logs. As you pointed out, many logs seem to be filtered out, and the details we need, such as the initiator of a communication, are not readily available. Currently, we can only access logs showing which member has accepted a chat. We would like to know: If you have any recommendations or alternate approaches to improve tracking and visibility into Teams activity, it would be greatly appreciated. To streamline the process and ensure we’re aligned, we believe it would be helpful to schedule a call. A dedicated meeting would allow us to: We’ve noticed that communication via chat is causing delays, and a real-time discussion will help us move forward more efficiently. If possible, we’d appreciate scheduling this call in a meeting room where everyone can join and share their thoughts directly. Let us know your availability, and we’ll be happy to coordinate accordingly. Looking forward to response. |
Hi @ChanduMadhala Certainly, let`s chat over a call for further discussion and answer any follow-up questions. I do not want to put email address here or ask yours here for privacy reasons. If you are working with any Microsoft person, you can ask to reach out to me internally or drop me a msg from LinkedIn contacts from my GitHub Profile to receive contact details to schedule a time. I am in PST time zone. |
Hi @ashwin-patil I have sent connection request on linkdin, so pls provide your details and availability for today so will schedule call to discuss further. |
Hi @ashwin-patil , I appreciate your willingness to help resolve the issue. To facilitate conversation between you and @ChanduMadhala , would you be able to share your email id for me? I'll ensure it's kept confidential and used only to arrange call. |
Hi @v-visodadasi As suggested by Ashwin I have pinged him on Linkdin & he shared his email ID with us. I will schedule meeting as per our (Ashwin & Us) suitable time. |
Hey @ganeshtembare , I met with the team today morning and here is summary and future action items.
Action Items - MSFT/Ashwin
Action Items - Customer
|
Dear Team,
We are currently facing an issue with the analytic rule “Anomalous Login” identified in the Teams, and we require assistance in understanding the root cause and behavior of this alert.
When we connected with Microsoft regarding this matter, they were unable to provide precise guidance on tracking the necessary details. Specifically, in the logs, we can only see the activity related to a member being added. However, we are not able to identify:
• The user who initiated the action.
• The user or group to which a member was added.
• The exact activity or process causing the alert.
Microsoft has recommended raising this request with the community for further insights. We would like your assistance in understanding the following:
Your support on this matter would be greatly appreciated. Please let us know if any additional details are required from our side to aid the investigation.
Looking forward to your guidance.
The text was updated successfully, but these errors were encountered: