Controls / MCSB / LT-3

MCSB LT-3: Logging and Threat Detection

116 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control LT-3 (Logging and Threat Detection). Each is checked against your tenant, ranked by Severity, with validated remediation.

116 checksLogging and Threat DetectionTop Severity: Critical

What MCSB LT-3 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. LT-3 sits in the Logging and Threat Detection domain. Senserva evidences it with the 116 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 116 checks that evidence MCSB LT-3

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
At Risk With High RiskCriticalUser currently at risk with a high risk level assessment. Immediate investigation recommended
Intune Operation Approval Device Wipe MissingCriticalNo Intune operation approval policy is configured for device wipe, any admin can wipe devices without a second approval.
Intune Operation Approval Tenant Configuration MissingCriticalNo Intune operation approval policy is configured for tenant configuration changes, any admin can make tenant-wide Intune changes without a second approval.
Log Blocked Signin Bad IP Or Too Many Invalid AttemptsCriticalSign-in blocked due to bad IP reputation or too many invalid attempts. May indicate brute-force or credential stuffing attack
Log Flagged For ReviewCriticalMicrosoft flagged this sign-in for review as potentially suspicious
Risk Detection Anomalous TokenCriticalAnomalous token usage detected Token properties or usage patterns do not match expected behavior.
Risk Detection Leaked CredentialsCriticalLeaked credentials detected. Credentials for this user were found exposed publicly
Risk Detection Malicious IP AddressCriticalSign-in from a known malicious IP address.
Risk Detection OfflineCriticalRisk detection was discovered offline (retroactively). The compromise predates the detection
Risk Detection State Confirmed CompromisedCriticalRisk detection is confirmed compromised. Immediate action required
Risk Detection Token Issuer AnomalyCriticalToken issuer anomaly detected The token was issued by an unexpected or suspicious authority.
Sp Risk Detection Malicious ApplicationCriticalService principal flagged as a malicious application by Entra ID Protection
Sp Risk State Confirmed CompromisedCriticalService principal risk state is "confirmed compromised", immediate action required
User High Risk UserCriticalUser flagged as high risk by Entra ID Protection. Immediate investigation required
At Risk SigninHighSign-in was flagged as at-risk by Entra ID Protection
At Risk With Low RiskHighUser currently at risk with a low risk level assessment
Audit CA ChangeHighSuccessful Conditional Access change in directory audit logs
Audit CA Failed Conditional Access ChangeHighFailed Conditional Access change in directory audit logs
Audit Failed Authorization ChangeHighFailed authorization policy change in directory audit logs
Audit Failed Directory Management ChangeHighFailed directory management change in audit logs
Audit Failed Other ChangeHighFailed change in uncategorized category in directory audit logs
Audit Failed Resource Management ChangeHighFailed resource management change in directory audit logs
Audit Group Failed Group Management ChangeHighFailed group management change in directory audit logs
Audit Im Auth Failed Authentication ChangeHighFailed authentication method/policy change in directory audit logs
Audit Role Failed Roll Management ChangeHighFailed role management change in directory audit logs. May indicate unauthorized attempts
Audit User Failed User Management ChangeHighFailed user management change in directory audit logs
Audit User Failed User Modification AttemptHighFailed user modification attempt in directory audit logs
Audit User Successful User ModificationHighSuccessful user modification in directory audit logs
Conditional Access Enforces MFA For High And Medium Risk Users Not FoundHighNo CA policy enforces MFA for high and medium risk users
Conditional Access Enforces Password For High Risk Users Not FoundHighNo CA policy enforces password change for high-risk users
Conditional Access Enforces Risk Levels Not FoundHighNo CA policy references sign-in or user risk levels. Risk-based CA is missing
Conditional Access Policy Included Location Has Unwanted CountryHighA CA policy's included location list contains a country flagged as unwanted
Conditional Access Require Block From Untrusted Countries For All UsersHighA CA policy includes an untrusted named location and applies to all users/apps, blocking untrusted countries
Conditional Access User Logged In Without Conditional Access PolicyHighUser has sign-in activity but no Conditional Access policies were applied to any of their sign-ins. Indicates the user is signing in completely outside CA policy coverage
High Risk Detection DataHighHigh-risk detection data record from Entra ID Protection
Intune Operation Approval Device Delete MissingHighNo Intune operation approval policy is configured for device delete, any admin can delete devices from Intune without a second approval.
Intune Operation Approval Device Retire MissingHighNo Intune operation approval policy is configured for device retire, any admin can retire devices without a second approval.
Intune Operation Approval No ApproversHighAn Intune operation approval policy has no approver groups configured, the approval gate cannot enforce peer review.
Link SCuBA Exo Link ProtectionHighSCUBA/CISA baseline check: Exchange Online Safe Links protection configuration Verifies that URL detonation and click-time protection are enabled
Log Conditional Access Error LogHighConditional Access error in sign-in logs. CA policy evaluation failed during sign-in
Log Conditional Access Log Request AuditHighConditional Access request audit record from sign-in logs
Log User Sign In Log Request AuditHighSign-in log request audit record
Log User Single Factor AuthenticationHighUser sign-in completed with single-factor authentication as recorded in sign-in logs
Low Risk Detection DataHighLow-risk detection data record from Entra ID Protection
Malware SCuBA Exo Malware ScanningHighSCUBA/CISA baseline check: Exchange Online malware scanning configuration Verifies that anti-malware policies are properly configured
Medium Risk Detection DataHighMedium-risk detection data record from Entra ID Protection
Old At Risk With High RiskHighUser was previously at risk with a high risk level (historical)
Phish SCuBA Exo Phishing ProtectionsHighSCUBA/CISA baseline check: Exchange Online anti-phishing protection configuration Verifies impersonation protection, mailbox intelligence, and spoof settings
Purview Audit Log No Records ReturnedHighThe Microsoft Graph audit log probe returned zero records for the past 24 hours.
Purview Audit Log UnavailableHighThe Microsoft Graph audit log query API is not available to this tenant.
Risk Detection Anonymized IP AddressHighSign-in from an anonymized IP address (VPN, Tor, or proxy)
Risk Detection StaleHighUnresolved risk detection has exceeded the configured stale threshold
Risk Detection State At RiskHighRisk detection is in AtRisk state and has not been remediated
Risk Detection State DismissedHighRisk detection was dismissed without documented remediation
Risk Detection Suspicious IP AddressHighSign-in from a suspicious IP address flagged by threat intelligence
Risk Level During SigninHighRisk level recorded during a user sign-in event
Sp Risk DetectionHighRisk detection event associated with this service principal from Entra ID Protection
Sp Risk Detection Leaked CredentialsHighLeaked credentials risk detection for a service principal
Sp Risk State At RiskHighService principal risk state is "at risk", active investigation recommended
Sp Risky Service PrincipalHighService principal flagged as risky by Entra ID Protection for workload identities
User Low Risk UserHighUser flagged as low risk by Entra ID Protection
At Risk With Medium RiskMediumUser currently at risk with a medium risk level assessment
Audit Authentication ChangeMediumSuccessful authentication method/policy change in directory audit logs
Audit Authorization Change Authorization ChangeMediumSuccessful authorization policy change in directory audit logs
Audit Im Policy Failed Policy ChangeMediumFailed Conditional Access policy change in directory audit logs
Audit PIM ChangeMediumSuccessful PIM change in directory audit logs
Audit PIM Failed PIM ChangeMediumFailed PIM change in directory audit logs. May indicate unauthorized modification attempts
Audit Role Management ChangeMediumSuccessful role management change in directory audit logs
Conditional Access Enforces Risk Levels Both Signin And User Risk In Same PolicyMediumA single CA policy includes both sign-in risk and user risk. Microsoft recommends separating these
Conditional Access Group With Policy ExclusionsMediumGroup is excluded from one or more Conditional Access policies. Members of excluded groups bypass those policies entirely
Conditional Access High Risk Sign In Not ProtectedMediumHigh-risk sign-in scenarios not protected by MFA or block policies. Detected via What-If
Conditional Access Policy Covers Device Code Flow Not FoundMediumA CA policy covers device code flow with block or device-compliance grant
Conditional Access Policy Device Excluded By FilterMediumA CA policy's device filter excludes this device. Tracks which devices are excluded from enforcement
Conditional Access Require Block Legacy Other FoundMediumA Conditional Access policy blocking legacy "Other" client app type is present and active
Conditional Access Risky User Not ProtectedMediumHigh-risk user scenarios lack password change or block. Detected via What-If
Conditional Access User Rule Applies In What If Read OnlyMediumA CA policy applies to this user in What-If but is in report-only mode, not enforcing
Conditional Access User Rule Does Not Apply In What IfMediumNo Conditional Access policy applies to this user for a given What-If scenario, a coverage gap
Conditional Access What If Missing Legacy App PolicyMediumWhat-If found no policy blocking legacy authentication for this user
Fasthttp UsedMediumFastHTTP client library detected in sign-in user agent. Commonly used by automated attack tools for credential stuffing and brute-force attacks
Log Conditional Access StatusMediumConditional Access status observed across sign-in logs
Log Cross Tenant SigninMediumSign-in originated from an external tenant (cross-tenant)
Log Es Device Login Fails CountsMediumAggregated device login failure counts. Tracks devices with repeated auth failures
Log Es Device Non Compliant Device Login CountsMediumCount of sign-ins from non-compliant devices
Log Failed Login CountMediumAggregated failed login count for a user. High counts may indicate brute-force attacks
Log User Sign In Log ErrorMediumSign-in log error record. Captures specific error codes and failure reasons
Old At Risk With Low RiskMediumUser was previously at risk with a low risk level (historical)
Old At Risk With Medium RiskMediumUser was previously at risk with a medium risk level (historical)
Purview Audit Permission Check SkippedMediumPurview audit log checks were skipped because the scanning credential lacks the AuditLogsQuery.Read.All permission or required directory role.
Risk Detection Data MissingMediumRisk detection has a null, None, Hidden, or unknown risk level. May indicate Identity Protection is not licensed or data is incomplete
Sp Risk Detection Anomalous ActivityMediumAnomalous activity risk detection on a service principal (unusual sign-in patterns)
Sp Risk Detection Suspicious Sign InMediumSuspicious sign-in risk detection on a service principal
User Medium Risk UserMediumUser flagged as medium risk by Entra ID Protection
Audit Es Device Failed Device ChangeLowFailed device management change in directory audit logs
Conditional Access Es Device Sign In Not Time Based Non Compliant DevicesLowA CA policy has sign-in frequency enabled but not time-based or not targeting non-compliant devices
Spam SCuBA Exo Inbound Anti Spam ProtectionsLowSCUBA/CISA baseline check: Exchange Online inbound anti-spam protection configuration Verifies spam filter policies and actions are properly configured
Teams UsageLowUser has no Teams activity (calls, meetings, messages) over the reporting period
Audit Audit CompletedInfoAudit scan completed for the tenant
Audit Audit StartedInfoAudit scan started for the tenant
Audit Directory Management ChangeInfoSuccessful directory management change in audit logs
Audit Group Management ChangeInfoSuccessful group management change in directory audit logs
Audit Resource Management ChangeInfoSuccessful resource management change in directory audit logs
Audit User ActivityInfoUser activity event in directory audit logs (non-management actions)
Audit User Management ChangeInfoSuccessful user management change in directory audit logs
Conditional Access Enforces MFA For High And Medium Risk UsersInfoA CA policy enforces MFA for high and medium risk users across all apps
Conditional Access Enforces Password For High Risk UsersInfoA CA policy enforces password change for high-risk users across all apps
Conditional Access Enforces Risk LevelsInfoA CA policy references sign-in risk or user risk levels. Confirms risk-based policies are active
Conditional Access Es Device Not Persistent Browser For Non Compliant DevicesInfoA CA policy disables persistent browser sessions for non-compliant devices
Conditional Access Es Device Signin Timebased For Non Compliant DevicesInfoA CA policy enforces time-based sign-in frequency for non-compliant devices
Conditional Access Loc Entra Location DataInfoEntra ID named location data record. Emitted per named location for visibility into CA location definitions
Conditional Access Permission Check SkippedInfoSecurity checks were skipped because the scanning credential lacks a required directory role to read Conditional Access policies
Conditional Access Policy Blocks All But Allowed CountriesInfoA CA policy excludes allowed countries and blocks everything else (geo-fencing allow-list)
Conditional Access Policy ChangeInfoA Conditional Access policy was modified. Detected from directory audit logs
Conditional Access Policy Only Allows Approved CountriesInfoA CA policy includes only approved countries with no disallowed countries
Conditional Access User Rule Applies In What IfInfoA Conditional Access policy applies to this user in What-If scenario evaluation. Reports the policy name and enforcement details (MFA, device compliance)
Sp Risk State DismissedInfoService principal risk state has been dismissed by an administrator
Sp Risk State RemediatedInfoService principal risk state has been remediated (e.g., credentials rotated)

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB LT-3 (Logging and Threat Detection) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB LT-3 (Logging and Threat Detection) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.