CIPP Alerts & Audit Logs
CIPP raises alerts based on standards violations, anomaly detection, and configured thresholds. The two tools in this skill let you triage the alert queue and pull underlying audit log evidence.
Tools
cipp_list_alert_queue
cipp_list_alert_queue()
Returns queued alerts across all tenants — alert type, tenant, severity, raised time, and current status. This is your daily triage list.
cipp_list_audit_logs
cipp_list_audit_logs(tenantFilter='contoso.onmicrosoft.com',
startDate?, endDate?,
userId?, operation?)
Tenant-scoped audit log entries from the M365 unified audit log. Filter by date range, user, or operation to narrow investigation scope. Use to investigate suspicious sign-ins, admin role changes, mailbox access, app consent grants, and policy modifications.
Workflow patterns
Daily alert triage
cipp_list_alert_queue— pull the full queue- Group by
tenant+alertTypeto spot patterns (one tenant generating most alerts often signals a broken standard or runaway script) - Triage in severity order: critical → high → medium → low
- For each alert: drill into the related tenant's audit logs with
cipp_list_audit_logsfiltered to the alert window
Correlate alert → audit evidence
alerts = cipp_list_alert_queue()
critical = [a for a in alerts if a['severity'] == 'critical']
for a in critical:
logs = cipp_list_audit_logs(
tenantFilter=a['tenantId'],
startDate=a['raisedAt'] - 30 minutes,
endDate=a['raisedAt'] + 5 minutes,
)
The 30-minute lookback usually captures the precipitating event (sign-in, admin change, app consent) that caused the alert.
Common audit operations to filter on
operation value | What it surfaces |
|---|---|
UserLoggedIn | Sign-in events |
Add member to role | Role escalation |
Consent to application | New app permissions granted |
New-InboxRule | Mailbox rule creation (BEC indicator) |
Set-Mailbox | Mailbox config changes |
Add policy | Conditional access policy created |
Update conditional access policy | CA policy modified |
Investigating a suspected compromise
When cipp_bec_check flags a user, supplement it with audit log queries:
- Pull all
UserLoggedInoperations for the user over the last 7 days — look for unusual countries, IPs, or bursts of failed → success patterns - Pull all
New-InboxRuleandSet-Mailboxoperations — hidden forwarding/auto-delete rules - Pull all
Consent to applicationoperations — illicit consent grants are common BEC vectors
Caveats
- The unified audit log has a lag (typically minutes, sometimes hours) — recent events may not appear immediately.
- Audit retention varies by license: 90 days for E3, 1 year for E5, longer with audit log retention add-ons. Plan investigations around what the tenant's licensing actually allows.
cipp_list_alert_queuereturns active queue items — historic resolved alerts require the CIPP UI.