DE.CM-3
Personnel activity is monitored to detect potential cybersecurity events
Detect · Continuous Monitoring
Fully Automated
Compliance Score
90%
CompliantDocumentation Maturity
4/ 5
x
Target: 2.5
Implementation Maturity
4/ 5
x
Target: 2.5
Control Description
User activity monitoring tools detect suspicious behavior such as impossible travel, unusual sign-in patterns, mass downloads, or privilege escalation attempts.
Microsoft Graph API Endpoints Used
GET /auditLogs/signInsGET /identityProtection/riskDetectionsGET /identityProtection/riskyUsersRequired Permissions
AuditLog.Read.AllIdentityRiskEvent.Read.AllIdentityRiskyUser.Read.All
Remediation Guidance
Enable Entra ID Identity Protection risk policies. Configure Conditional Access policies that respond to user risk levels. Enable sign-in log monitoring. Set up alerts for suspicious sign-in patterns (impossible travel, unfamiliar locations).