{"id":310,"date":"2025-09-16T13:48:35","date_gmt":"2025-09-16T12:48:35","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=310"},"modified":"2025-09-16T13:48:35","modified_gmt":"2025-09-16T12:48:35","slug":"one-to-one-teams-and-guest","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=310","title":{"rendered":"One-to-One Teams and Guest"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Cette requ\u00eate permet de :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identifier les chats One-to-One cr\u00e9\u00e9s dans Teams<\/strong>.<\/li>\n\n\n\n<li><strong>D\u00e9tecter les participants externes<\/strong>\u00a0(non Microsoft).<\/li>\n\n\n\n<li><strong>Analyser leur origine g\u00e9ographique<\/strong>\u00a0via l\u2019IP.<\/li>\n\n\n\n<li><strong>Lister les domaines SIP et DNS<\/strong>\u00a0des participants.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>CloudAppEvents\n| where Application has \"Microsoft Teams\" and isnotempty(IPAddress)  \n| extend Geo_IP = tostring(geo_info_from_ip_address(IPAddress).country)\n| extend ChatName = todynamic(RawEventData).ChatName\n| extend TeamName = todynamic(RawEventData).TeamName\n| extend ChannelName = todynamic(RawEventData).ChannelName\n| extend Operation = todynamic(RawEventData).Operation\n| extend CommunicationType = todynamic(RawEventData).CommunicationType\n| where  Operation has \"ChatCreated\" and CommunicationType has \"OneOnOne\"\n| mv-expand  ParticipantsInfo = (todynamic(parse_json(RawEventData).ParticipantInfo))\n|  mv-expand  ParticipatingDomains =  (ParticipantsInfo).ParticipatingDomains\n|  mv-expand  ParticipatingSIPDomains =  (ParticipantsInfo).ParticipatingSIPDomains\n|  mv-expand  ParticipatingSIPDomains =  (ParticipatingSIPDomains).DomainName\n| where  Operation has \"ChatCreated\" and CommunicationType has \"OneOnOne\"\n| where (ParticipatingDomains!=\"\" or  ParticipatingSIPDomains!=\"\") and (ParticipatingDomains !in (\"microsoft.com\") or ParticipatingSIPDomains !in (\"microsoft.com\"))\n| project  AccountDisplayName,ChatCreatedFrom= IPAddress,ChannelName,ChatName, TeamName,Geo_IP, CountryCode,Operation,ParticipatingSIPDomains,ParticipatingDomains, ISP<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Cette requ\u00eate permet de :<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[18],"class_list":["post-310","post","type-post","status-publish","format-standard","hentry","category-kql","tag-kql"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=310"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions"}],"predecessor-version":[{"id":311,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions\/311"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}