MCSB LT-3: Logging and Threat Detection
116 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control LT-3 (Logging and Threat Detection). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB LT-3 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. LT-3 sits in the Logging and Threat Detection domain. Senserva evidences it with the 116 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 116 checks that evidence MCSB LT-3
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| At Risk With High Risk | Critical | User currently at risk with a high risk level assessment. Immediate investigation recommended |
| Intune Operation Approval Device Wipe Missing | Critical | No Intune operation approval policy is configured for device wipe, any admin can wipe devices without a second approval. |
| Intune Operation Approval Tenant Configuration Missing | Critical | No Intune operation approval policy is configured for tenant configuration changes, any admin can make tenant-wide Intune changes without a second approval. |
| Log Blocked Signin Bad IP Or Too Many Invalid Attempts | Critical | Sign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack |
| Log Flagged For Review | Critical | Microsoft flagged this sign-in for review as potentially suspicious |
| Risk Detection Anomalous Token | Critical | Anomalous token usage detected Token properties or usage patterns do not match expected behavior. |
| Risk Detection Leaked Credentials | Critical | Leaked credentials detected. Credentials for this user were found exposed publicly |
| Risk Detection Malicious IP Address | Critical | Sign-in from a known malicious IP address. |
| Risk Detection Offline | Critical | Risk detection was discovered offline (retroactively). The compromise predates the detection |
| Risk Detection State Confirmed Compromised | Critical | Risk detection is confirmed compromised. Immediate action required |
| Risk Detection Token Issuer Anomaly | Critical | Token issuer anomaly detected The token was issued by an unexpected or suspicious authority. |
| Sp Risk Detection Malicious Application | Critical | Service principal flagged as a malicious application by Entra ID Protection |
| Sp Risk State Confirmed Compromised | Critical | Service principal risk state is "confirmed compromised", immediate action required |
| User High Risk User | Critical | User flagged as high risk by Entra ID Protection. Immediate investigation required |
| At Risk Signin | High | Sign-in was flagged as at-risk by Entra ID Protection |
| At Risk With Low Risk | High | User currently at risk with a low risk level assessment |
| Audit CA Change | High | Successful Conditional Access change in directory audit logs |
| Audit CA Failed Conditional Access Change | High | Failed Conditional Access change in directory audit logs |
| Audit Failed Authorization Change | High | Failed authorization policy change in directory audit logs |
| Audit Failed Directory Management Change | High | Failed directory management change in audit logs |
| Audit Failed Other Change | High | Failed change in uncategorized category in directory audit logs |
| Audit Failed Resource Management Change | High | Failed resource management change in directory audit logs |
| Audit Group Failed Group Management Change | High | Failed group management change in directory audit logs |
| Audit Im Auth Failed Authentication Change | High | Failed authentication method/policy change in directory audit logs |
| Audit Role Failed Roll Management Change | High | Failed role management change in directory audit logs. May indicate unauthorized attempts |
| Audit User Failed User Management Change | High | Failed user management change in directory audit logs |
| Audit User Failed User Modification Attempt | High | Failed user modification attempt in directory audit logs |
| Audit User Successful User Modification | High | Successful user modification in directory audit logs |
| Conditional Access Enforces MFA For High And Medium Risk Users Not Found | High | No CA policy enforces MFA for high and medium risk users |
| Conditional Access Enforces Password For High Risk Users Not Found | High | No CA policy enforces password change for high-risk users |
| Conditional Access Enforces Risk Levels Not Found | High | No CA policy references sign-in or user risk levels. Risk-based CA is missing |
| Conditional Access Policy Included Location Has Unwanted Country | High | A CA policy's included location list contains a country flagged as unwanted |
| Conditional Access Require Block From Untrusted Countries For All Users | High | A CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries |
| Conditional Access User Logged In Without Conditional Access Policy | High | User has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage |
| High Risk Detection Data | High | High-risk detection data record from Entra ID Protection |
| Intune Operation Approval Device Delete Missing | High | No Intune operation approval policy is configured for device delete, any admin can delete devices from Intune without a second approval. |
| Intune Operation Approval Device Retire Missing | High | No Intune operation approval policy is configured for device retire, any admin can retire devices without a second approval. |
| Intune Operation Approval No Approvers | High | An Intune operation approval policy has no approver groups configured, the approval gate cannot enforce peer review. |
| Link SCuBA Exo Link Protection | High | SCUBA/CISA baseline check: Exchange Online Safe Links protection configuration Verifies that URL detonation and click-time protection are enabled |
| Log Conditional Access Error Log | High | Conditional Access error in sign-in logs. CA policy evaluation failed during sign-in |
| Log Conditional Access Log Request Audit | High | Conditional Access request audit record from sign-in logs |
| Log User Sign In Log Request Audit | High | Sign-in log request audit record |
| Log User Single Factor Authentication | High | User sign-in completed with single-factor authentication as recorded in sign-in logs |
| Low Risk Detection Data | High | Low-risk detection data record from Entra ID Protection |
| Malware SCuBA Exo Malware Scanning | High | SCUBA/CISA baseline check: Exchange Online malware scanning configuration Verifies that anti-malware policies are properly configured |
| Medium Risk Detection Data | High | Medium-risk detection data record from Entra ID Protection |
| Old At Risk With High Risk | High | User was previously at risk with a high risk level (historical) |
| Phish SCuBA Exo Phishing Protections | High | SCUBA/CISA baseline check: Exchange Online anti-phishing protection configuration Verifies impersonation protection, mailbox intelligence, and spoof settings |
| Purview Audit Log No Records Returned | High | The Microsoft Graph audit log probe returned zero records for the past 24 hours. |
| Purview Audit Log Unavailable | High | The Microsoft Graph audit log query API is not available to this tenant. |
| Risk Detection Anonymized IP Address | High | Sign-in from an anonymized IP address (VPN, Tor, or proxy) |
| Risk Detection Stale | High | Unresolved risk detection has exceeded the configured stale threshold |
| Risk Detection State At Risk | High | Risk detection is in AtRisk state and has not been remediated |
| Risk Detection State Dismissed | High | Risk detection was dismissed without documented remediation |
| Risk Detection Suspicious IP Address | High | Sign-in from a suspicious IP address flagged by threat intelligence |
| Risk Level During Signin | High | Risk level recorded during a user sign-in event |
| Sp Risk Detection | High | Risk detection event associated with this service principal from Entra ID Protection |
| Sp Risk Detection Leaked Credentials | High | Leaked credentials risk detection for a service principal |
| Sp Risk State At Risk | High | Service principal risk state is "at risk", active investigation recommended |
| Sp Risky Service Principal | High | Service principal flagged as risky by Entra ID Protection for workload identities |
| User Low Risk User | High | User flagged as low risk by Entra ID Protection |
| At Risk With Medium Risk | Medium | User currently at risk with a medium risk level assessment |
| Audit Authentication Change | Medium | Successful authentication method/policy change in directory audit logs |
| Audit Authorization Change Authorization Change | Medium | Successful authorization policy change in directory audit logs |
| Audit Im Policy Failed Policy Change | Medium | Failed Conditional Access policy change in directory audit logs |
| Audit PIM Change | Medium | Successful PIM change in directory audit logs |
| Audit PIM Failed PIM Change | Medium | Failed PIM change in directory audit logs. May indicate unauthorized modification attempts |
| Audit Role Management Change | Medium | Successful role management change in directory audit logs |
| Conditional Access Enforces Risk Levels Both Signin And User Risk In Same Policy | Medium | A single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these |
| Conditional Access Group With Policy Exclusions | Medium | Group is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely |
| Conditional Access High Risk Sign In Not Protected | Medium | High-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If |
| Conditional Access Policy Covers Device Code Flow Not Found | Medium | A CA policy covers device code flow with block or device-compliance grant |
| Conditional Access Policy Device Excluded By Filter | Medium | A CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement |
| Conditional Access Require Block Legacy Other Found | Medium | A Conditional Access policy blocking legacy "Other" client app type is present and active |
| Conditional Access Risky User Not Protected | Medium | High-risk user scenarios lack password change or block. Detected via What-If |
| Conditional Access User Rule Applies In What If Read Only | Medium | A CA policy applies to this user in What-If but is in report-only mode, not enforcing |
| Conditional Access User Rule Does Not Apply In What If | Medium | No Conditional Access policy applies to this user for a given What-If scenario, a coverage gap |
| Conditional Access What If Missing Legacy App Policy | Medium | What-If found no policy blocking legacy authentication for this user |
| Fasthttp Used | Medium | FastHTTP client library detected in sign-in user agent. Commonly used by automated attack tools for credential stuffing and brute-force attacks |
| Log Conditional Access Status | Medium | Conditional Access status observed across sign-in logs |
| Log Cross Tenant Signin | Medium | Sign-in originated from an external tenant (cross-tenant) |
| Log Es Device Login Fails Counts | Medium | Aggregated device login failure counts. Tracks devices with repeated auth failures |
| Log Es Device Non Compliant Device Login Counts | Medium | Count of sign-ins from non-compliant devices |
| Log Failed Login Count | Medium | Aggregated failed login count for a user. High counts may indicate brute-force attacks |
| Log User Sign In Log Error | Medium | Sign-in log error record. Captures specific error codes and failure reasons |
| Old At Risk With Low Risk | Medium | User was previously at risk with a low risk level (historical) |
| Old At Risk With Medium Risk | Medium | User was previously at risk with a medium risk level (historical) |
| Purview Audit Permission Check Skipped | Medium | Purview audit log checks were skipped because the scanning credential lacks the AuditLogsQuery.Read.All permission or required directory role. |
| Risk Detection Data Missing | Medium | Risk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete |
| Sp Risk Detection Anomalous Activity | Medium | Anomalous activity risk detection on a service principal (unusual sign-in patterns) |
| Sp Risk Detection Suspicious Sign In | Medium | Suspicious sign-in risk detection on a service principal |
| User Medium Risk User | Medium | User flagged as medium risk by Entra ID Protection |
| Audit Es Device Failed Device Change | Low | Failed device management change in directory audit logs |
| Conditional Access Es Device Sign In Not Time Based Non Compliant Devices | Low | A CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices |
| Spam SCuBA Exo Inbound Anti Spam Protections | Low | SCUBA/CISA baseline check: Exchange Online inbound anti-spam protection configuration Verifies spam filter policies and actions are properly configured |
| Teams Usage | Low | User has no Teams activity (calls, meetings, messages) over the reporting period |
| Audit Audit Completed | Info | Audit scan completed for the tenant |
| Audit Audit Started | Info | Audit scan started for the tenant |
| Audit Directory Management Change | Info | Successful directory management change in audit logs |
| Audit Group Management Change | Info | Successful group management change in directory audit logs |
| Audit Resource Management Change | Info | Successful resource management change in directory audit logs |
| Audit User Activity | Info | User activity event in directory audit logs (non-management actions) |
| Audit User Management Change | Info | Successful user management change in directory audit logs |
| Conditional Access Enforces MFA For High And Medium Risk Users | Info | A CA policy enforces MFA for high and medium risk users across all apps |
| Conditional Access Enforces Password For High Risk Users | Info | A CA policy enforces password change for high-risk users across all apps |
| Conditional Access Enforces Risk Levels | Info | A CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active |
| Conditional Access Es Device Not Persistent Browser For Non Compliant Devices | Info | A CA policy disables persistent browser sessions for non-compliant devices |
| Conditional Access Es Device Signin Timebased For Non Compliant Devices | Info | A CA policy enforces time-based sign-in frequency for non-compliant devices |
| Conditional Access Loc Entra Location Data | Info | Entra ID named location data record. Emitted per named location for visibility into CA location definitions |
| Conditional Access Permission Check Skipped | Info | Security checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies |
| Conditional Access Policy Blocks All But Allowed Countries | Info | A CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list) |
| Conditional Access Policy Change | Info | A Conditional Access policy was modified. Detected from directory audit logs |
| Conditional Access Policy Only Allows Approved Countries | Info | A CA policy includes only approved countries with no disallowed countries |
| Conditional Access User Rule Applies In What If | Info | A Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance) |
| Sp Risk State Dismissed | Info | Service principal risk state has been dismissed by an administrator |
| Sp Risk State Remediated | Info | Service principal risk state has been remediated (e.g., credentials rotated) |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.