New Audit Events for Microsoft 365 Advanced Auditing
In March 2020, Microsoft made the MailItemsAccessed audit event available. This was the first high-value Microsoft 365 audit event designed to help forensic investigators gain extra detail of what happened when they respond to security or internal events. We now have the first high-value Teams audit information in the MeetingDetail and MeetingParticipantDetail events. According to message center notification MC298031 (Nov 13, 2021), the events are now available in tenants.
When a meeting occurs, Teams logs a single MeetingDetail event to capture basic information about the meeting such as its start and end time. Teams also logs separate MeetingParticipantDetail events for each user (including guests) or application (like the recording bot) who joins the meeting. If the meeting starts and stops several times, Teams captures separate sets of audit events.
Licensing and Output
The important thing is that Teams captures this audit data only if users have the necessary licenses for advanced auditing. Office 365 E5 and a bunch of other Microsoft 365 products include advanced auditing. Office 365 E3 and any lower plan do not.
At least, that’s the way things are supposed to happen. My tenant has some E5 licenses, but the audit data captured for Teams meetings doesn’t happen as you might expect. First, the records don’t appear as quickly as other Teams audit events after a meeting ends. I think this is because a background process looks for meeting information and generates the events some time after a meeting finishes. At least, the creation date for the audit records is several hours after a meeting’s scheduled time. This might be done to ensure that the meeting is over, but it means that you should ignore the audit event creation time when tracking when meetings happen. In addition, as you’d expect, the information captured in the two events differ too, so some care is needed to parse out the audit payload.
Reporting Teams Meeting Audit Records
In any case, I wrote a script to illustrate how to find and parse the audit records for Teams meeting. You can download the script from GitHub. The code is simple:
- Set a time span to search for records. I look for the last 30 days. Because you need Office 365 E5 or above before Teams captures audit records for meetings, you can go back up to 365 days.
- Run the Search-UnifiedAuditLog cmdlet to find audit records for Teams meetings.
- Parse each audit record to extract information from its payload. Use the Get-AzureADUser cmdlet to resolve the identifiers captured for meeting organizers and participants.
- Insert the data in a PowerShell list.
- After processing all records, generate a CSV file.
After processing a participant record (MeetingParticipantDetail) looks like this. You can see that the date recorded for the audit record is well after the person attended the meeting.
Date : 09/12/2021 01:55:48 User : Jack.Smith@office365itpros.com MeetingId : 87109282-1c08-4272-834b-16d6b9defa01 MeetingType : ScheduledMeeting Start : 08/12/2021 17:33 End : 08/12/2021 17:37 User Time : 00:03:53 Role : 1 DetailId : 87109282-1c08-4272-834b-16d6b9defa01 Artifacts : UserInfo : SkypeSpaces/1415/184.108.40.2061120320/os=windows; osVer=10; deviceType=computer; browser=chrome; browserVer=96.0/TsCallingVersion=2021.42.01.1/Ovb=1c67ad38b440f3c30eadde98e59d505b1dd1c056 Type : Participant Operation : MeetingParticipantDetail
While a meeting record (MeetingDetail) looks like:
Date : 09/12/2021 01:55:48 User : Sean.Landy@office365itpros.com MeetingId : 87109282-1c08-4272-834b-16d6b9defa01 MeetingType : ScheduledMeeting Start : 08/12/2021 17:33 End : 08/12/2021 17:37 MeetingTime : 00:03:53 Organizer : Sean Landy Modalities : Audio MeetingURL : teams.microsoft.com/l/meetup-join/19%3ameeting_MGRlYWRlMzctM2ViMC00OGUyLTg3NzAtMDc1MjdiZGU0MjBm%40thread. v2/0?context=%7b%22Tid%22%3a%22b662313f-14fc-43a2-9a7a-d2e27f4f3478%22%2c%22Oid%22%3a%2208dda855-5dc3-4fd c-8458-cbc494a5a774%22%7d Type : Meeting Operation : MeetingDetail
The code works for the audit records I see in my tenant. I cannot attest that the code handles every permutation of audit data captured in these records, but as the code uses relatively simple PowerShell, it should be possible to amend the code to handle other conditions.
Investigations Will Prove the Worth of Audit Records
I’m not totally convinced that the information captured in Teams meeting audit records are of high value. The basic knowledge to gain is that someone attended a meeting for a certain length of time, information that’s already in the attendance report that the meeting organizer can download. Some information that I would like to see is missing, such as the meeting title (admittingly, the meeting URL is available, so Graph API calls can find the meeting title).
It is advantageous to be able to search for and retrieve the information from the audit log along with other records of interest to investigators, especially for meetings that someone might try to hide by removing all trace from their calendar. Time will tell if investigators find the information captured in Teams meeting audit records helpful in their work and how they use the data. Remember that Teams stores attendance data for webinars in hidden Lists, so if these events are involved in an investigation, it’s probably better to go there to learn who attended the event.
Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.