Microsoft Sentinel: Monitoring Audio/Video Conferencing Software
May 11, 2020
This blog expands upon SecureSky’s “Top 10 Audio/Video Conferencing Security Best Practices” blog posted on April 8, 2020. If you have not read that blog yet, we encourage you to do so, as it provides recommendations on settings to harden various audio/video conferencing tools that you may use within your organization.
Microsoft’s Azure Sentinel offers robust capabilities to monitor Microsoft Teams and Zoom for security-related threats. In this blog we provide several configuration references and discuss what potentially malicious activity Azure Sentinel can monitor, detect and protect against.
Monitoring Microsoft Teams with Sentinel
First, since we need to configure an Azure Active Directory App as part of the configuration process, we can monitor all things related to user identity. For Teams, this is especially important since Teams uses Azure AD for authentication. Thankfully, there is a built-in Sentinel connector for this.
After some work parsing through all the available audit data in Microsoft 365, we can set up some hunting queries or alerts to identify potentially malicious activity such as the following:
- Adding/removing external users
- Adding external contributors
- Adding application or bot
- User given ownership rights to multiple Teams
- Single user deletes multiple Teams
- Suspicious Azure AD logins being made Team owner
The above are just some of the more common risks that Sentinel can monitor and alert on. You are only limited by our creativity with crafting hunting or alert queries.
Monitoring Zoom with Sentinel
Much like Teams, if your organization uses Zoom for audio/video conferencing, Microsoft Sentinel can monitor activity and there is an easy to use connector for Zoom inside of Azure Sentinel. Pete Bryan from Microsoft has already written about how to configure Sentinel to monitor and alert on suspicious activity in Zoom so our focus is on what activity can be monitored in Sentinel.
After setting everything up, and making sure Zoom logs are parsed and normalized, we can start to extract specific events. This includes the following:
- Encryption disabled
- External user access
- Suspicious links
- Time zone for user joining is different (special situations)
- Specific hunting queries
- Compromised room system
- Multiple denies (recording/registration)
- New domain added to access whitelist
- User joined meeting from a new time zone
As with the above Teams discussion, this is just a small look at what Zoom activities Sentinel can monitor or be queried for. Pouring over the Zoom account owner settings and advanced settings, there are also potentially additional items that your organization may want to monitor within Zoom.
At SecureSky we want to take the complexity out of monitoring your environment for you. With our team of experienced professionals, we can help you manage your monitoring and alerting needs for your cloud environment whether you are using Teams or Zoom. Our expert threat detection and response personnel can help take that burden off your staff. Feel free to contact us to discuss your needs.
Configuration of Teams and Zoom: