Configuring alert rules for Azure Log Connector events ensures your team is notified immediately when security-relevant activity occurs across your Azure and Microsoft 365 environment. This article covers the most important alert rules to configure and how to set them up in LT Auditor MP.
Understanding Azure Log Connector alerts in LT Auditor MP:
Azure Log Connector alert rules are configured in the Manage module as filter rules with an Alert action applied. When an incoming event matches the filter conditions, LT Auditor MP generates an alert and notifies the configured recipients.
Because Azure Log Connector collects events on a polling interval, alerts are near real-time rather than instantaneous โ the delay is equal to your configured IntervalSeconds value (default: 5 minutes). Factor this into your incident response planning.
Recommended alert rules:
Critical priority alerts:
| Alert Name | Condition | Rationale |
| Global Administrator Role Assigned | Operation = Add member to role AND Role = Global Administrator | Highest privilege role in Entra ID โ any assignment requires immediate review |
| Privileged Role Assigned | Operation = Add member to role AND Role IN [privileged roles list] | Any privileged role assignment outside an approved change window is high priority |
| Conditional Access Policy Deleted | Operation = Delete conditional access policy | Deletion may significantly weaken your security posture |
| Conditional Access Policy Disabled | Operation = Update conditional access policy AND Status = Disabled | Disabling a policy may open unauthorized access paths |
| Risky Sign-In โ High Risk | Risk Level = High | Highest severity identity threat detections from Entra ID Identity Protection |
| MFA Disabled for User | Operation = Update user AND MFA = Disabled | Removes a critical security control |
High priority alerts:
| Alert Name | Condition | Rationale |
| New Guest Account Created | Operation = Invite external user | External users may introduce data exposure risk |
| Bulk User Account Deletion | Operation = Delete user AND Count > [threshold] in [time window] | Mass deletions may indicate a destructive attack |
| Failed Sign-In Threshold Exceeded | Status = Failed AND Count > [threshold] in [time window] | High failure counts may indicate brute force or credential stuffing |
| Password Reset for Privileged Account | Operation = Reset password AND User IN [privileged accounts list] | Privileged account password resets require immediate verification |
| Service Principal Created | Operation = Add service principal | New service principals may introduce unauthorized application access |
| Large File Download โ OneDrive | Operation = FileDownloaded AND Volume > [threshold] | High-volume downloads may indicate data exfiltration |
| External File Sharing โ SharePoint | Operation = SharingInvitationCreated AND RecipientType = External | Files shared externally may represent unauthorized data disclosure |
Medium priority alerts:
| Alert Name | Condition | Rationale |
| Sign-In from Unfamiliar Location | Location NOT IN [approved countries list] | Sign-ins from unexpected locations may indicate unauthorized access |
| Sign-In Outside Business Hours | Status = Success AND Timestamp outside business hours | Successful sign-ins outside normal hours warrant review |
| Risky Sign-In โ Medium Risk | Risk Level = Medium | Should be reviewed and correlated with other activity |
| Application Permission Granted | Operation = Add app role assignment to service principal | New application permissions may introduce data access risk |
| Conditional Access Policy Modified | Operation = Update conditional access policy | Policy modifications should be confirmed as authorized |
| SharePoint Permission Change | Operation = PermissionLevelModified | Permission changes on SharePoint sites may expand unauthorized access |
Creating an alert rule:
The following steps walk through creating one of the recommended alert rules. Repeat the process for each alert rule you want to configure.
Example: Global Administrator Role Assigned
- Log in to the LT Auditor MP Web UI
- Navigate to Manage
- Select the Azure Log Connector environment from the environment list
- Select the Entra ID Audit Logs category
- Click Add Filter
- Configure the filter details:
- Filter Name โ Critical โ Global Administrator Role Assigned
- Description โ Alerts immediately when any user is assigned the Global Administrator role
- Priority โ set to a high priority number (e.g., 1 or 2)
- Active Status โ enabled
- Under the Conditions tab, add the following conditions:
- Condition 1:
- Field โ Operation
- Operator โ Equals
- Value โ Add member to role
- Condition 2 (AND):
- Field โ Role
- Operator โ Equals
- Value โ Global Administrator
- Condition 1:
- Under the Operations tab, select the relevant Audit Log operations
- Under the Actions tab:
- Select Alert
- Severity โ Critical
- Email Recipients โ your security team and relevant administrators
- Alert Frequency โ Immediate
- Click Test Filter to confirm the rule matches intended events
- Click Save and confirm the filter is Active
Configuring threshold-based alerts:
For alerts based on event counts within a time window such as failed sign-ins or bulk deletions:
- Follow the same steps above to create the filter
- Configure the relevant field condition (e.g., Status = Failed)
- Under Threshold settings:
- Count โ the number of events required to trigger the alert
- Time Window โ the period within which the count must be reached
- Configure the Alert action with appropriate severity and recipients
- Click Save
[Your administrator should determine appropriate threshold values based on normal activity patterns in your environment โ thresholds set too low generate excessive noise, while thresholds set too high may miss genuine attacks.]
SharePoint and OneDrive specific alerts:
SharePoint and OneDrive alerts require selecting the relevant Microsoft 365 log category when creating the filter. These alerts are unique to Azure Log Connector and were not available in the previous EntraConnector module.
Recommended SharePoint and OneDrive alert configuration:
| Alert | Category | Key Condition |
| External file sharing | SharePoint Online Logs | Operation = SharingInvitationCreated AND RecipientType = External |
| Large file download | OneDrive Logs | Operation = FileDownloaded AND Volume > threshold |
| SharePoint permission change | SharePoint Online Logs | Operation = PermissionLevelModified |
| Site collection admin added | SharePoint Online Logs | Operation = SiteCollectionAdminAdded |
| Sensitive file accessed | SharePoint Online Logs | Operation = FileAccessed AND Path CONTAINS [sensitive path] |
[Your administrator should identify the SharePoint sites and OneDrive accounts that contain sensitive or regulated data and prioritize alert configuration for those locations first.]
Managing alert rules:
Reviewing active alerts:
- Navigate to Alerts โ Active Alerts
- Filter by Source โ Azure Log Connector to view relevant alerts
- Review each open alert and take appropriate action
- Resolve alerts once investigated and documented
Tuning alert rules over time:
- Review alert rules after the first two weeks of operation to identify rules generating excessive noise
- Tighten conditions on noisy rules rather than disabling them
- Add new alert rules as your understanding of normal activity patterns develops
- Review and update approved countries lists and business hours thresholds as your organization’s operations change
Best practices:
- Start with Critical priority alerts and confirm they are working correctly before adding Medium priority alerts
- Always test new alert rules using Test Filter before activating them in production
- Set Immediate delivery for Critical alerts so your security team is notified without delay
- Use threshold-based alerts for high-volume event types like failed sign-ins to avoid alert fatigue
- Pay particular attention to SharePoint and OneDrive alerts โ external file sharing and large downloads are high-value indicators that were not previously available in LT Auditor MP
- Review and tune alert rules regularly as activity patterns in your Microsoft 365 environment evolve
- Document all active alert rules and their intended purpose so the configuration is auditable
[Your administrator should review the full set of Azure Log Connector alert rules at least quarterly and after any significant changes to your Azure or Microsoft 365 configuration.]