On the last day of August (the 31st) the long-awaited Public Preview for the Microsoft Teams connector was finally delivered. During Private Preview, you might remember that the connector was a standalone version just for Microsoft Teams. But it’s always been a logical path that Teams would just be added to the existing Office 365 Data Connector for Azure Sentinel. And, so, such is the case today as the Public Preview is now available to enable in your Azure Sentinel tenant.
The fact that Teams is part of the original Office 365 Data Connector means that Microsoft Teams is also a FREE ingestion source.
How to Enable It
We’ve made enabling the Teams connection in the Office 365 Data Connector as easy to connect as everything else that we offer.
To enable it, in the Azure Sentinel console go to the Data Connector blade, locate the Office 365 Connector, then click or tap the Open connector page button.
Finally (see I told you it was easy), on the Instructions tab of the Office 365 Data Connector page, checkbox the Teams (Preview) in the Configuration area, and then click or tap the Apply Changes button.
Now, that the connection has been made you can sit back and wait for the data to start rolling in.
While you’re waiting, you can go grab some Teams Hunting queries: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/TeamsLogs
I also put together a 10-pack of Teams KQL queries and posted to my own GitHub repo: https://github.com/rod-trent/SentinelKQL/blob/master/TeamsKQL.zip
Teams data showing up
