A Microsoft Teams application was installed

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-02

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Threat Module
Detector Tags	Microsoft Teams
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Cloud Application Integration (T1671)
Severity	Informational

A Microsoft Teams application was installed.

Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.

Confirm that the application was created by a certified and trusted entity.
Evaluate the permissions requested by the application to determine if they are excessive or unusual.
Determine if it is within the user's role to install this type of application.
Correlate the alert with the sign-in event to get additional information on the identity performing the action.
Follow further actions done by the account.

ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Cloud Application Integration (T1671)
Severity	Low

A Microsoft Teams application was installed.

Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.

Confirm that the application was created by a certified and trusted entity.
Evaluate the permissions requested by the application to determine if they are excessive or unusual.
Determine if it is within the user's role to install this type of application.
Correlate the alert with the sign-in event to get additional information on the identity performing the action.
Follow further actions done by the account.