MCSB LT-1: Logging and Threat Detection
69 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control LT-1 (Logging and Threat Detection). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB LT-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. LT-1 sits in the Logging and Threat Detection domain. Senserva evidences it with the 69 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 69 checks that evidence MCSB LT-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Operation Approval Device Wipe Missing | Critical | No Intune operation approval policy is configured for device wipe, any admin can wipe devices without a second approval. |
| Intune Operation Approval Tenant Configuration Missing | Critical | No Intune operation approval policy is configured for tenant configuration changes, any admin can make tenant-wide Intune changes without a second approval. |
| Log Blocked Signin Bad IP Or Too Many Invalid Attempts | Critical | Sign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack |
| Log Legacy Auth Protocol | Critical | Sign-in used a legacy authentication protocol that bypasses modern auth and MFA |
| PIM Alerts No MFA On Activation Alert | Critical | PIM alert: MFA is not required on role activation. Compromised credentials can escalate |
| Audit CA Change | High | Successful Conditional Access change in directory audit logs |
| Audit CA Failed Conditional Access Change | High | Failed Conditional Access change in directory audit logs |
| Audit Failed Authorization Change | High | Failed authorization policy change in directory audit logs |
| Audit Failed Directory Management Change | High | Failed directory management change in audit logs |
| Audit Failed Other Change | High | Failed change in uncategorized category in directory audit logs |
| Audit Failed Resource Management Change | High | Failed resource management change in directory audit logs |
| Audit Group Failed Group Management Change | High | Failed group management change in directory audit logs |
| Audit Im Auth Failed Authentication Change | High | Failed authentication method/policy change in directory audit logs |
| Audit Role Failed Roll Management Change | High | Failed role management change in directory audit logs. May indicate unauthorized attempts |
| Audit User Failed User Management Change | High | Failed user management change in directory audit logs |
| Audit User Failed User Modification Attempt | High | Failed user modification attempt in directory audit logs |
| Audit User Successful User Modification | High | Successful user modification in directory audit logs |
| Intune Operation Approval Device Delete Missing | High | No Intune operation approval policy is configured for device delete, any admin can delete devices from Intune without a second approval. |
| Intune Operation Approval Device Retire Missing | High | No Intune operation approval policy is configured for device retire, any admin can retire devices without a second approval. |
| Intune Operation Approval No Approvers | High | An Intune operation approval policy has no approver groups configured, the approval gate cannot enforce peer review. |
| Intune Policy Compliance Mde Integration Required | High | Microsoft Defender for Endpoint integration is not required by compliance policy |
| Intune Policy Compliance Mde Threat Level Allowed | High | Microsoft Defender for Endpoint allowed threat level is too permissive in compliance policy |
| Link SCuBA Exo Link Protection | High | SCUBA/CISA baseline check: Exchange Online Safe Links protection configuration Verifies that URL detonation and click-time protection are enabled |
| Log Conditional Access Error Log | High | Conditional Access error in sign-in logs. CA policy evaluation failed during sign-in |
| Log Conditional Access Log Request Audit | High | Conditional Access request audit record from sign-in logs |
| Log Conditional Access Policy Exclusion Applied | High | Conditional Access policy exclusion applied during sign-in, policy bypassed due to satisfied exclusion conditions |
| Log User Sign In Log Request Audit | High | Sign-in log request audit record |
| Log User Single Factor Authentication | High | User sign-in completed with single-factor authentication as recorded in sign-in logs |
| Malware SCuBA Exo Malware Scanning | High | SCUBA/CISA baseline check: Exchange Online malware scanning configuration Verifies that anti-malware policies are properly configured |
| Phish SCuBA Exo Phishing Protections | High | SCUBA/CISA baseline check: Exchange Online anti-phishing protection configuration Verifies impersonation protection, mailbox intelligence, and spoof settings |
| PIM Alerts License Suspended | High | PIM license is suspended. PIM protections are not enforced without an active license |
| PIM Alerts Stale Alert Incident | High | PIM alert: stale role assignment detected. A user's privileged role has not been activated recently |
| PIM Alerts Too Many Global Admins Assigned To Tenant Alert Incident | High | PIM alert: too many Global Admins assigned to the tenant |
| PIM Policy Notifications Missing | High | PIM policy is missing notification rules. Admins are not alerted on role activation |
| Audit As App Failed Application Management Change | Medium | Failed application management change detected in directory audit logs May indicate unauthorized modification attempts |
| Audit Authentication Change | Medium | Successful authentication method/policy change in directory audit logs |
| Audit Authorization Change Authorization Change | Medium | Successful authorization policy change in directory audit logs |
| Audit Im Policy Failed Policy Change | Medium | Failed Conditional Access policy change in directory audit logs |
| Audit PIM Change | Medium | Successful PIM change in directory audit logs |
| Audit PIM Failed PIM Change | Medium | Failed PIM change in directory audit logs. May indicate unauthorized modification attempts |
| Audit Role Management Change | Medium | Successful role management change in directory audit logs |
| Establish Monitoring And Detection | Medium | Establish monitoring and anomaly detection for AI workloads and outputs |
| Log Conditional Access Status | Medium | Conditional Access status observed across sign-in logs |
| Log Es Device Login Fails Counts | Medium | Aggregated device login failure counts. Tracks devices with repeated auth failures |
| Log Es Device Non Compliant Device Login Counts | Medium | Count of sign-ins from non-compliant devices |
| Log Failed Login Count | Medium | Aggregated failed login count for a user. High counts may indicate brute-force attacks |
| Missing Licenses Required | Medium | The tenant is missing licenses required by the security baseline for general (non-privileged) accounts |
| PIM Alert Configuration Incorrect | Medium | PIM alert configuration is incorrect or misconfigured for the tenant |
| PIM Missing Alert Type | Medium | Expected PIM alert type is missing from the tenant's alert configuration |
| Secure Score Control Not Implemented | Medium | A Microsoft Secure Score control is available but the tenant is earning zero points for it. |
| Admin SCuBA Gws Common Admin Audit And Alerts | Low | SCUBA/CISA baseline check: Google Workspace admin audit and alerts configuration |
| Audit Es Device Failed Device Change | Low | Failed device management change in directory audit logs |
| Other Change | Low | A directory audit log entry with a category that does not match any known category mapping. Captured for completeness |
| Spam SCuBA Exo Inbound Anti Spam Protections | Low | SCUBA/CISA baseline check: Exchange Online inbound anti-spam protection configuration Verifies spam filter policies and actions are properly configured |
| Audit As App Application Activity | Info | Application activity detected in directory audit logs (non-management actions) |
| Audit Audit Completed | Info | Audit scan completed for the tenant |
| Audit Audit Started | Info | Audit scan started for the tenant |
| Audit Directory Management Change | Info | Successful directory management change in audit logs |
| Audit Group Management Change | Info | Successful group management change in directory audit logs |
| Audit Resource Management Change | Info | Successful resource management change in directory audit logs |
| Audit User Activity | Info | User activity event in directory audit logs (non-management actions) |
| Audit User Management Change | Info | Successful user management change in directory audit logs |
| Device Change | Info | Device configuration change detected in directory audit logs (successful) |
| Perform Continuous Red Team | Info | Perform continuous red-team exercises against AI deployments to identify vulnerabilities |
| Permission Check Skipped | Info | Security checks were skipped because the scanning credential lacks a required directory role |
| PIM Alerts | Info | PIM alert record with role, assignee, and last activation details |
| PIM Policy Modified By | Info | PIM management policy was last modified by the reported user. Change tracking |
| Scoring Line | Info | Individual scoring line item contributing to the overall tenant security score |
| Secure Score | Info | Microsoft Secure Score value for the tenant. Tracked for trending and benchmark comparison |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.