Accessing Azure Log Connector event data:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to View in the main navigation menu
3. Select a saved Azure Log Connector view from the list, or create a new one:
   • Click Create View
   • Set the Environment to your Azure Log Connector environment
   • Set the Category to the relevant log category
   • Configure your preferred default date range
   • Click Save
4. The log table populates with events collected from your Azure and Microsoft 365 tenant

Recommended saved views to create:

[Your administrator should create and share these views with the team so everyone has a consistent starting point for Azure monitoring.]

Filtering events:

Filter by log category: Select the view configured for the relevant category, or apply a category filter:

1. Click Advanced Filters
2. Add a condition:
   • Field — Category
   • Operator — Equals
   • Value — the category name (e.g., Sign-In Logs, SharePoint Online Logs)
3. Click Apply Filters

Filter by user:

1. Click Advanced Filters
2. Add a condition:
   • Field — User or UPN
   • Operator — Equals or Contains
   • Value — the user’s UPN (e.g., jsmith@company.com)
3. Click Apply Filters

Filter by sign-in status:

1. Click Advanced Filters
2. Add a condition:
   • Field — Status
   • Operator — Equals
   • Value — Success or Failed
3. Click Apply Filters

Filter by IP address:

1. Click Advanced Filters
2. Add a condition:
   • Field — IP Address
   • Operator — Equals or Contains
   • Value — the IP address to investigate
3. Click Apply Filters

Filter by location:

1. Click Advanced Filters
2. Add a condition:
   • Field — Location or Country
   • Operator — Equals or Contains
   • Value — the country or city to filter by
3. Click Apply Filters

Filter by application:

1. Click Advanced Filters
2. Add a condition:
   • Field — Application
   • Operator — Equals or Contains
   • Value — the application name (e.g., SharePoint, Microsoft Teams, Exchange Online)
3. Click Apply Filters

Filter by operation (Entra ID Audit Logs):

1. Click Advanced Filters
2. Add a condition:
   • Field — Operation
   • Operator — Equals or Contains
   • Value — the operation to filter by (e.g., Add member to role, Create user, Reset password)
3. Click Apply Filters

Viewing full event details:

1. Click on any event row in the log table
2. The detail panel opens and displays:
   • User — the UPN of the user involved
   • Operation — the specific action that occurred
   • Status — success or failure
   • Timestamp — when the event occurred
   • IP Address — the source IP address
   • Location — the geographic location associated with the IP address
   • Application — the Microsoft application involved
   • Category — the log category (Sign-In, Audit, SharePoint, OneDrive, etc.)
   • Risk Level — the risk level assigned by Entra ID Identity Protection (if applicable)
   • Raw Log — the original event record forwarded by Azure Log Connector
3. Click Close to return to the log table

Monitoring SharePoint Online and OneDrive activity:

Azure Log Connector is the only module in LT Auditor ^MP that collects Microsoft 365 collaboration activity. Use the SharePoint and OneDrive views to:

• Track file access, downloads, and sharing activity
• Identify files shared externally or with unauthorized users
• Monitor permission changes on sensitive SharePoint sites or document libraries
• Detect large-scale file downloads that may indicate data exfiltration
• Review OneDrive sync activity across user accounts

SharePoint and OneDrive events are collected with a default delay of 30 minutes to allow Microsoft 365 audit events sufficient time to become available in the Office 365 Management API. Events may not appear in LT Auditor ^MP immediately after they occur.

Monitoring privileged activity:

To view all role assignment and administrative activity in Entra ID:

1. Select the Entra ID Audit Logs view
2. Apply a filter:
   • Field — Operation
   • Operator — Contains
   • Value — role
3. Click Apply Filters
4. Review all events involving role assignments and changes

Exporting event data:

1. Apply your desired filters and date range
2. Click the Export button
3. Choose your format:
   • CSV — for Excel or data analysis tools
   • Excel — native Excel format
   • PDF — for audit submission or management reporting
4. Configure export options as needed
5. Click Download

For large sign-in log exports covering extended date ranges, consider scheduling a report rather than exporting directly from the view.

Best practices:

• Create and save dedicated views for your most common Azure monitoring scenarios so investigators have a consistent starting point
• Review failed sign-in and risky sign-in data regularly as part of your security operations routine
• Use the SharePoint and OneDrive views proactively to identify unusual file sharing or access patterns
• Set a specific date range before searching — open-ended queries across large sign-in log datasets can be slow
• Export and retain event data related to security incidents promptly before retention policies remove older records

[Your administrator should establish a standard daily or weekly Azure monitoring review checklist for the security team, covering failed sign-ins, risky sign-ins, privileged role changes, and SharePoint sharing activity at a minimum.]

Understanding Azure Log Connector alerts in LT Auditor ^MP:

Azure Log Connector alert rules are configured in the Manage module as filter rules with an Alert action applied. When an incoming event matches the filter conditions, LT Auditor ^MP generates an alert and notifies the configured recipients.

Because Azure Log Connector collects events on a polling interval, alerts are near real-time rather than instantaneous — the delay is equal to your configured IntervalSeconds value (default: 5 minutes). Factor this into your incident response planning.

Recommended alert rules:

Critical priority alerts:

High priority alerts:

Medium priority alerts:

Creating an alert rule:

The following steps walk through creating one of the recommended alert rules. Repeat the process for each alert rule you want to configure.

Example: Global Administrator Role Assigned

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Manage
3. Select the Azure Log Connector environment from the environment list
4. Select the Entra ID Audit Logs category
5. Click Add Filter
6. Configure the filter details:
   • Filter Name — Critical — Global Administrator Role Assigned
   • Description — Alerts immediately when any user is assigned the Global Administrator role
   • Priority — set to a high priority number (e.g., 1 or 2)
   • Active Status — enabled
7. Under the Conditions tab, add the following conditions:
   • Condition 1:
     • Field — Operation
     • Operator — Equals
     • Value — Add member to role
   • Condition 2 (AND):
     • Field — Role
     • Operator — Equals
     • Value — Global Administrator
8. Under the Operations tab, select the relevant Audit Log operations
9. Under the Actions tab:
   • Select Alert
   • Severity — Critical
   • Email Recipients — your security team and relevant administrators
   • Alert Frequency — Immediate
10. Click Test Filter to confirm the rule matches intended events
11. Click Save and confirm the filter is Active

Configuring threshold-based alerts:

For alerts based on event counts within a time window such as failed sign-ins or bulk deletions:

1. Follow the same steps above to create the filter
2. Configure the relevant field condition (e.g., Status = Failed)
3. Under Threshold settings:
   • Count — the number of events required to trigger the alert
   • Time Window — the period within which the count must be reached
4. Configure the Alert action with appropriate severity and recipients
5. Click Save

[Your administrator should determine appropriate threshold values based on normal activity patterns in your environment — thresholds set too low generate excessive noise, while thresholds set too high may miss genuine attacks.]

SharePoint and OneDrive specific alerts:

SharePoint and OneDrive alerts require selecting the relevant Microsoft 365 log category when creating the filter. These alerts are unique to Azure Log Connector and were not available in the previous EntraConnector module.

Recommended SharePoint and OneDrive alert configuration:

[Your administrator should identify the SharePoint sites and OneDrive accounts that contain sensitive or regulated data and prioritize alert configuration for those locations first.]

Managing alert rules:

Reviewing active alerts:

1. Navigate to Alerts → Active Alerts
2. Filter by Source — Azure Log Connector to view relevant alerts
3. Review each open alert and take appropriate action
4. Resolve alerts once investigated and documented

Tuning alert rules over time:

• Review alert rules after the first two weeks of operation to identify rules generating excessive noise
• Tighten conditions on noisy rules rather than disabling them
• Add new alert rules as your understanding of normal activity patterns develops
• Review and update approved countries lists and business hours thresholds as your organization’s operations change

Best practices:

• Start with Critical priority alerts and confirm they are working correctly before adding Medium priority alerts
• Always test new alert rules using Test Filter before activating them in production
• Set Immediate delivery for Critical alerts so your security team is notified without delay
• Use threshold-based alerts for high-volume event types like failed sign-ins to avoid alert fatigue
• Pay particular attention to SharePoint and OneDrive alerts — external file sharing and large downloads are high-value indicators that were not previously available in LT Auditor ^MP
• Review and tune alert rules regularly as activity patterns in your Microsoft 365 environment evolve
• Document all active alert rules and their intended purpose so the configuration is auditable

[Your administrator should review the full set of Azure Log Connector alert rules at least quarterly and after any significant changes to your Azure or Microsoft 365 configuration.]