From microsoft-365
Use this skill when working with CIPP alerts and audit logs - reviewing the queued alert backlog across tenants, investigating sign-in or admin activity in audit logs, correlating alerts with tenants. Read-only triage surface for the CIPP alerting subsystem.
How this skill is triggered — by the user, by Claude, or both
Slash command
/microsoft-365:cipp-alertsWhen to use
When triaging the CIPP alert queue or pulling tenant audit logs for investigation
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
CIPP raises alerts based on standards violations, anomaly detection, and configured thresholds. The two tools in this skill let you triage the alert queue and pull underlying audit log evidence.
CIPP raises alerts based on standards violations, anomaly detection, and configured thresholds. The two tools in this skill let you triage the alert queue and pull underlying audit log evidence.
cipp_list_alert_queuecipp_list_alert_queue()
Returns queued alerts across all tenants - alert type, tenant, severity, raised time, and current status. This is your daily triage list.
cipp_list_audit_logscipp_list_audit_logs(tenantFilter='contoso.onmicrosoft.com',
startDate?, endDate?,
userId?, operation?)
Tenant-scoped audit log entries from the M365 unified audit log. Filter by date range, user, or operation to narrow investigation scope. Use to investigate suspicious sign-ins, admin role changes, mailbox access, app consent grants, and policy modifications.
cipp_list_alert_queue - pull the full queuetenant + alertType to spot patterns (one tenant generating most alerts often signals a broken standard or runaway script)cipp_list_audit_logs filtered to the alert windowalerts = cipp_list_alert_queue()
critical = [a for a in alerts if a['severity'] == 'critical']
for a in critical:
logs = cipp_list_audit_logs(
tenantFilter=a['tenantId'],
startDate=a['raisedAt'] - 30 minutes,
endDate=a['raisedAt'] + 5 minutes,
)
The 30-minute lookback usually captures the precipitating event (sign-in, admin change, app consent) that caused the alert.
operation value | What it surfaces |
|---|---|
UserLoggedIn | Sign-in events |
Add member to role | Role escalation |
Consent to application | New app permissions granted |
New-InboxRule | Mailbox rule creation (BEC indicator) |
Set-Mailbox | Mailbox config changes |
Add policy | Conditional access policy created |
Update conditional access policy | CA policy modified |
When cipp_bec_check flags a user, supplement it with audit log queries:
UserLoggedIn operations for the user over the last 7 days - look for unusual countries, IPs, or bursts of failed -> success patternsNew-InboxRule and Set-Mailbox operations - hidden forwarding/auto-delete rulesConsent to application operations - illicit consent grants are common BEC vectorscipp_list_alert_queue returns active queue items - historic resolved alerts require the CIPP UI.npx claudepluginhub p/henssler-financial-microsoft-365-plugins-microsoft-365Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.