Track Privilege Escalation in MS Teams and SharePoint Online

Using the Native Way for Auditing Privilege Escalation

Please follow the below steps:

• Open the Office 365 Security & Compliance dashboard
• Go to Search, Audit log search
• From the Activities filters, choose Shared file, folder, or site and Unshared file, folder, or site
• Click Search

The search results will list the following: directly granting access rights, adding a user to a group, and changing group rights. The output table will include the following details:

• User — The name of the user who performed the action
• Item — The URL of the SharePoint site or Team where the change was made
• Detail — The user or group to which the change was applied

If you want to see whether privilege escalation took place, you will have to look further into the results.

This can be done by clicking the specific event and looking through the Details tab. Depending on the activity, you will need to search for the following information:

• If a user was added to a group with Full Control permissions:

EventData: will show the name of the group to which the user was added.

(Please note that by default, the group with Full Control permissions for a site or team is named [SiteName] Owners)

• If rights were granted to a user directly:

The EventData: field will show you the permissions granted. Your highest priority is to keep track of users who are granted Full Control.

The Audit Log Search filter capabilities are quite simple and don’t enable you to exclude irrelevant results, so using this method means that you must click through each event individually. An alternative way to find privilege escalation is to export the data to a CSV file and parse the data in Excel as follows:

• To export results to a CSV file, click Export Results, Download all results
• In a new workbook, select the Data Tab, and from the Get & Transform Data section, click Get Data, From File, From Text/CSV and select the CSV file that you previously downloaded. Click Import, Transform Data.
• In the Power Query Editor, right-click the title in the AuditData column. select Transform, choose JSON

In the upper right corner of the AuditData column, click the Expand icon, deselect the properties that you don’t want to include, click OK.

The following properties are examples of those available to be included in the query:

• AuditData.CreationTime — The event timestamp
• AuditData.ClientIP — The IP address from which the event was performed
• AuditData.UserId — The name of the user who performed the action
• AuditData.EventData — The action performed
• AuditData.SiteUrl — The URL of the SharePoint site or Team where the change was made
• AuditData.TargetUserOrGroupName — The user or group to which the change was applied

Privilege Escalation Auditing Using the Lepide Auditor

This native way to audit Privilege Escalation in MS Teams and SharePoint Online is both time-consuming and complex. A more straightforward solution to this is to use the All Modifications in SharePoint Online Report from the Office 365 Auditing component of Lepide Auditor:

• Click the User & Entity Behavior Analytics icon and select SharePoint Online Modification Reports, All Modifications in SharePoint Online
• Select a Date Range, select the filters you require and click Generate Report
• To see further detail about a specific object, click Details and the Details Window will be displayed
• The report can be sorted, filtered, grouped, saved, and exported

NOTE– Similar process you can follow to generate a report for MS Teams.