New Audit Events for Microsoft 365 Advanced Auditing
In March 2020, Microsoft made the MailItemsAccessed audit event available. This was the first high-value Microsoft 365 audit event designed to help forensic investigators gain extra detail of what happened when they respond to security or internal events. We now have the first high-value Teams audit information in the MeetingDetail and MeetingParticipantDetail events. According to message center notification MC298031 (Nov 13, 2021), the events are now available in tenants.
When a meeting occurs, Teams logs a single MeetingDetail event to capture basic information about the meeting such as its start and end time. Teams also logs separate MeetingParticipantDetail events for each user (including guests) or application (like the recording bot) who joins the meeting. If the meeting starts and stops several times, Teams captures separate sets of audit events.
Licensing and Output
The important thing is that Teams captures this audit data only if users have the necessary licenses for advanced auditing. Office 365 E5 and a bunch of other Microsoft 365 products include advanced auditing. Office 365 E3 and any lower plan do not.
At least, that’s the way things are supposed to happen. My tenant has some E5 licenses, but the audit data captured for Teams meetings doesn’t happen as you might expect. First, the records don’t appear as quickly as other Teams audit events after a meeting ends. I think this is because a background process looks for meeting information and generates the events some time after a meeting finishes. At least, the creation date for the audit records is several hours after a meeting’s scheduled time. This might be done to ensure that the meeting is over, but it means that you should ignore the audit event creation time when tracking when meetings happen. In addition, as you’d expect, the information captured in the two events differ too, so some care is needed to parse out the audit payload.
Reporting Teams Meeting Audit Records
In any case, I wrote a script to illustrate how to find and parse the audit records for Teams meeting. You can download the script from GitHub. The code is simple:
Set a time span to search for records. I look for the last 30 days. Because you need Office 365 E5 or above before Teams captures audit records for meetings, you can go back up to 365 days.
Run the Search-UnifiedAuditLog cmdlet to find audit records for Teams meetings.
Parse each audit record to extract information from its payload. Use the Get-AzureADUser cmdlet to resolve the identifiers captured for meeting organizers and participants.
Insert the data in a PowerShell list.
After processing all records, generate a CSV file.
After processing a participant record (MeetingParticipantDetail) looks like this. You can see that the date recorded for the audit record is well after the person attended the meeting.
Date : 09/12/2021 01:55:48
User : Jack.Smith@office365itpros.com
MeetingId : 87109282-1c08-4272-834b-16d6b9defa01
MeetingType : ScheduledMeeting
Start : 08/12/2021 17:33
End : 08/12/2021 17:37
User Time : 00:03:53
Role : 1
DetailId : 87109282-1c08-4272-834b-16d6b9defa01
Artifacts :
UserInfo : SkypeSpaces/1415/1.0.0.2021120320/os=windows; osVer=10; deviceType=computer; browser=chrome;
browserVer=96.0/TsCallingVersion=2021.42.01.1/Ovb=1c67ad38b440f3c30eadde98e59d505b1dd1c056
Type : Participant
Operation : MeetingParticipantDetail
While a meeting record (MeetingDetail) looks like:
Date : 09/12/2021 01:55:48
User : Sean.Landy@office365itpros.com
MeetingId : 87109282-1c08-4272-834b-16d6b9defa01
MeetingType : ScheduledMeeting
Start : 08/12/2021 17:33
End : 08/12/2021 17:37
MeetingTime : 00:03:53
Organizer : Sean Landy
Modalities : Audio
MeetingURL : teams.microsoft.com/l/meetup-join/19%3ameeting_MGRlYWRlMzctM2ViMC00OGUyLTg3NzAtMDc1MjdiZGU0MjBm%40thread.
v2/0?context=%7b%22Tid%22%3a%22b662313f-14fc-43a2-9a7a-d2e27f4f3478%22%2c%22Oid%22%3a%2208dda855-5dc3-4fd
c-8458-cbc494a5a774%22%7d
Type : Meeting
Operation : MeetingDetail
The code works for the audit records I see in my tenant. I cannot attest that the code handles every permutation of audit data captured in these records, but as the code uses relatively simple PowerShell, it should be possible to amend the code to handle other conditions.
Investigations Will Prove the Worth of Audit Records
I’m not totally convinced that the information captured in Teams meeting audit records are of high value. The basic knowledge to gain is that someone attended a meeting for a certain length of time, information that’s already in the attendance report that the meeting organizer can download. Some information that I would like to see is missing, such as the meeting title (admittingly, the meeting URL is available, so Graph API calls can find the meeting title).
It is advantageous to be able to search for and retrieve the information from the audit log along with other records of interest to investigators, especially for meetings that someone might try to hide by removing all trace from their calendar. Time will tell if investigators find the information captured in Teams meeting audit records helpful in their work and how they use the data. Remember that Teams stores attendance data for webinars in hidden Lists, so if these events are involved in an investigation, it’s probably better to go there to learn who attended the event.
Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.
Hi there! I also wrote a script to parse and process Teams Audit Logs. My purpose was to analyze (quantify) disconnections during meetings due to Wifi issues. It’s available there: https://bit.ly/3LAtyjI
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Hi there! I also wrote a script to parse and process Teams Audit Logs. My purpose was to analyze (quantify) disconnections during meetings due to Wifi issues. It’s available there: https://bit.ly/3LAtyjI