Tag Archives: Microsoft

Investigating Teams Logs

Published 28/04/2023 / by jeff / Leave a Comment
Leave a Reply

Microsoft Teams logs contain information about various user activities within the Teams platform, such as messaging, meetings, calls, and other interactions. These logs can be accessed through the Microsoft 365 Compliance Center’s Audit log search or by using the Office 365 Management Activity API.

Here’s a list of some important fields available in Microsoft Teams logs, along with a brief description of what they represent:

  1. CreationTime: The date and time (UTC) when the event occurred.
  2. UserId: The ID of the user who performed the action.
  3. UserKey: The user key of the user who performed the action. It can be a user’s Azure AD ID or an external user’s email address.
  4. UserType: Indicates whether the user is internal or external to the organization.
  5. UserAgent: Information about the device, operating system, or client app used by the user who performed the action.
  6. Operation: The type of action performed by the user, such as “TeamCreated”, “ChannelDeleted”, “MeetingStart”, or “CallRecorded”.
  7. Workload: The Microsoft 365 service associated with the event. For Teams logs, this will be “MicrosoftTeams”.
  8. ResultStatus: The result of the action, such as “Succeeded” or “Failed”.
  9. ClientIP: The IP address of the user who performed the action.
  10. CorrelationId: The unique identifier for the event, which can be used to correlate multiple related events in the log.
  11. ObjectId: The ID of the object affected by the action, such as a team, channel, or message.
  12. TargetUserId: The ID of the user affected by the action, such as the recipient of a message or the user added to a team.
  13. TeamGuid: The unique identifier for the team associated with the event.
  14. ChannelGuid: The unique identifier for the channel associated with the event.
  15. MessageGuid: The unique identifier for the message associated with the event.
  16. MeetingGuid: The unique identifier for the meeting associated with the event.
  17. CallGuid: The unique identifier for the call associated with the event.
  18. ItemName: The name of the object affected by the action, such as a team or channel name.
  19. ItemType: The type of object affected by the action, such as “Team”, “Channel”, “Message”, “Meeting”, or “Call”.
  20. CustomProperties: Additional custom properties specific to the event, such as the meeting title, call duration, or message content.

These fields provide detailed information about the user activities within Microsoft Teams, allowing administrators and security professionals to monitor and analyse events for auditing, compliance, and security purposes.