LOG-06: Sign-In Log Anomaly Baseline

Frequently asked questions about implementing and managing the LOG-06 security control in Microsoft 365 and Entra ID.

Q
What is LOG-06 (Sign-In Log Anomaly Baseline)?
A

LOG-06 is a security control that without a baseline of normal activity, you cannot detect anomalous behavior. establishing what "normal" looks like enables detection of unauthorized role assignments, policy changes, and consent grants. It requires that baseline of normal privileged operations is established and unusual spikes in role changes or ca modifications are detected, siem integration provides continuous anomaly monitoring.

Related controls:LOG-06
Q
Why is Sign-In Log Anomaly Baseline important for Microsoft 365 security?
A

Without a baseline of normal activity, you cannot detect anomalous behavior. Establishing what "normal" looks like enables detection of unauthorized role assignments, policy changes, and consent grants.

Related controls:LOG-06
Q
How do I implement LOG-06 in my tenant?
A

LOG-06 requires manual implementation. Advisory analysis based on audit log patterns. SIEM integration recommended.

Related controls:LOG-06
Q
What license do I need for LOG-06?
A

This control can be implemented with any Microsoft 365 subscription, including free Azure AD.

Related controls:LOG-06
Q
Which security baseline includes LOG-06?
A

LOG-06 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:LOG-06

5

Questions

1

Related Controls

Categorized

Related Resources

LOG-06 Control Reference

Detailed documentation and implementation guidance

Logging & Visibility Controls

All controls in the Logging & Visibility category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →