LOG-05: Admin Activity Anomaly Detection

Frequently asked questions about implementing and managing the LOG-05 security control in Microsoft 365 and Entra ID.

Q
What is LOG-05 (Admin Activity Anomaly Detection)?
A

LOG-05 is a security control that compromised admin accounts often exhibit unusual patterns: signing in from new locations, performing bulk operations, or working at unusual hours. detecting these anomalies enables early response to account compromise. It requires that unusual admin behaviors trigger alerts and new sign-in locations for admins are flagged, bulk operations by admins are monitored, off-hours admin activity is tracked.

Related controls:LOG-05
Q
Why is Admin Activity Anomaly Detection important for Microsoft 365 security?
A

Compromised admin accounts often exhibit unusual patterns: signing in from new locations, performing bulk operations, or working at unusual hours. Detecting these anomalies enables early response to account compromise.

Related controls:LOG-05
Q
How do I implement LOG-05 in my tenant?
A

LOG-05 requires manual implementation. Requires Identity Protection or SIEM with correlation rules

Related controls:LOG-05
Q
What license do I need for LOG-05?
A

This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.

Related controls:LOG-05
Q
Which security baseline includes LOG-05?
A

LOG-05 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:LOG-05

5

Questions

1

Related Controls

Categorized

Related Resources

LOG-05 Control Reference

Detailed documentation and implementation guidance

Logging & Visibility Controls

All controls in the Logging & Visibility category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →