Elastic Security Detection Rules

TeamFiltration User-Agents Detected

Last updated a month ago on 2025-07-02
Created a month ago on 2025-07-02

About

Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs.
Tags
Domain: CloudData Source: AzureData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

Permission Groups Discovery (T1069)(opens in a new tab or window)

System Information Discovery (T1082)(opens in a new tab or window)

Account Discovery (T1087)(opens in a new tab or window)

Password Policy Discovery (T1201)(opens in a new tab or window)

Cloud Service Discovery (T1526)(opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Virtual Machine Discovery (T1673)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

False Positive Examples
Legitimate administrative or security assessment activities may use these user-agents, especially in environments where TeamFiltration is employed for authorized audits. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or IP addresses. Expected red team assessments or penetration tests may utilize TeamFiltration to evaluate the security posture of Azure or Microsoft 365 environments. If this is expected behavior, consider adjusting the rule or adding exceptions for specific IP addresses, registered applications, JWT tokens, PRTs or user
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.signinlogs-*logs-o365.audit-*
Related Integrations

azure(opens in a new tab or window)

o365(opens in a new tab or window)

Query
event.dataset:("azure.signinlogs" or "o365.audit")
    and ((user_agent.name:"Electron" and user_agent.os.name:"Windows" and user_agent.version:"8.5.1") or
    user_agent.original:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36")

Install detection rules in Elastic Security

Detect TeamFiltration User-Agents Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).