Alerts Configuration
Audit Log Alerts
Audit Log Alerts are alerts that are pushed into CIPP by external resources, such as the Microsoft Audit log, or Microsoft Graph Subscriptions. CIPP receives these alerts and processes them by adding information or executing remediation tasks.
Audit Log Alerts have the following actions that can be performed when an alert rule matches:
Execute a BEC Remediate
Disable the user in the log entry
Generate an email
Generate a PSA ticket
Generate a webhook
Audit Log Alerts cannot be shipped to Slack, Discord, or Teams via CIPP, as these products do not support receiving raw JSON information webhooks.
Alert Criteria
CIPP allows you to create rules based on the received alerts from these audit logs. You can either select our preset alert types, or you can add a custom alert. Our custom alert engine uses the same logic as our complex filters, with the difference that you cannot chain filters and must add them individually.
Example 1
To alert on all audit logs where the PathName contains "RSS"
Example 2
To alert on a specific operation
You can find all possible keys in the Microsoft documentation, however as this documentation can get quite complex we recommend setting up an alert on "Any" log to a webhook or email, so you can easily find the fields you want to filter on without needing to read all of the Microsoft Documentation.
Feature Requests / Ideas
Please raise any feature requests on GitHub.
Last updated