Skip to main content

Dear Team,

I am seeking assistance in adding a parameter to one of my Office 365 rules to identify the specific user to whom the rule applies.

For example, we received an alert stating that "User Permission has changed." However, the raw logs for this alert do not contain information on which user's permission was changed or which account had administrative access altered. The only available parameter is "Object ID," which helps us locate Office 365 logs but does not provide definitive results.

I would like to enhance my rule to include the necessary details to identify the impacted user. Could someone please assist me with this?

For reference, I have included the relevant rule below:

rule O365_USER_CHANGE_PERMISSIONS {

meta:
author = "Google Cloud Security"
description = "This rule tracks and monitors USER_CHANGE_PERMISSIONS for email identities or mailboxes within an Office 365 environment. The event is triggered when a mailbox, email alias, or user account associated with an email address is deleted from the system."
assumption = "The list msgraph_watchlist_roles is populated with role names, e.g., Application Administrator."
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/003/"
mitre_attack_version = "v14.1"
type = "alert"
platform = "Microsoft"
data_source = "Office 365"
severity = "Medium"
priority = "Medium"

events:
$app.metadata.product_name = "Office 365"
$app.metadata.vendor_name = "Microsoft"
$app.metadata.log_type = "OFFICE_365"
$app.metadata.product_event_type = "MemberRemoved"
$app.principal.user.userid = $userid
$app.target.application = "MicrosoftTeams"
$app.metadata.event_type = "USER_CHANGE_PERMISSIONS"
$app.principal.user.email_addresses = ""
$app.target.user.email_addresses = ""
$app.security_result.action = "UNKNOWN_ACTION"

match:
$userid over 5m

condition:
$app
}

I was able to get the rule above to trigger with an explicit action of removing a user from a Teams group within the Teams admin portal in O365. The name of the user removed and their email address was displayed in about.user.user_display_name and email_addresses and the impacted group is found in target.group.group_display_name and target.group.product_object_id. That said the raw log and consequently the UDM event does not tell you who the user was who initiated the action which is annoying.


I have some other Teams logs that are sync events that meet some of the criteria around MemberRemoved but they were from a few months back and mainly where focused on some exchange mailboxes that I wasn't manipulating, so that might just have been noise in testing. 


The specific event you are looking at MemberRemoved is specified by MS as a team owner removes members from a team, channel, or group chat, so it looks like you might be trying to get more out of that rule at least based on the description in the rule.


Not sure if any of this is helpful, but at the least you have a rule to detect users being removed from Teams teams with this.


 


 

I was able to get the rule above to trigger with an explicit action of removing a user from a Teams group within the Teams admin portal in O365. The name of the user removed and their email address was displayed in about.user.user_display_name and email_addresses and the impacted group is found in target.group.group_display_name and target.group.product_object_id. That said the raw log and consequently the UDM event does not tell you who the user was who initiated the action which is annoying.


I have some other Teams logs that are sync events that meet some of the criteria around MemberRemoved but they were from a few months back and mainly where focused on some exchange mailboxes that I wasn't manipulating, so that might just have been noise in testing. 


The specific event you are looking at MemberRemoved is specified by MS as a team owner removes members from a team, channel, or group chat, so it looks like you might be trying to get more out of that rule at least based on the description in the rule.


Not sure if any of this is helpful, but at the least you have a rule to detect users being removed from Teams teams with this.


 


 


Hi @jstoner ,

Where can we add the above parameters provided by you, if you could guide me it would be better.

about.user.user_display_name and email_addresses and target.group.group_display_name and target.group.product_object_id.

Thanks in advance.

Thanks,

Neha.H

This is my events section that i used in my test to trigger this.



 

$app.metadata.product_name = "Office 365"
$app.metadata.vendor_name = "Microsoft"
$app.metadata.log_type = "OFFICE_365"
$app.metadata.product_event_type = "MemberRemoved"
$app.principal.user.userid = $userid
$app.target.application = "MicrosoftTeams"
$app.metadata.event_type = "USER_CHANGE_PERMISSIONS"
$app.principal.user.email_addresses = ""
$app.target.user.email_addresses = ""
$app.security_result.action = "UNKNOWN_ACTION"

The other fields listed above should be used with outcome variable to view the values as desired.


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.