cipp-alertslisted

Use this skill when working with CIPP alerts and audit logs — reviewing the queued alert backlog across tenants, investigating sign-in or admin activity in audit logs, correlating alerts with tenants. Read-only triage surface for the CIPP alerting subsystem.
wyre-technology/msp-claude-plugins · ★ 26 · DevOps & Infrastructure · score 82

Install: claude install-skill wyre-technology/msp-claude-plugins

# CIPP Alerts & Audit Logs CIPP raises alerts based on standards violations, anomaly detection, and configured thresholds. The two tools in this skill let you triage the alert queue and pull underlying audit log evidence. ## Tools ### `cipp_list_alert_queue` ``` cipp_list_alert_queue() ``` Returns queued alerts across all tenants — alert type, tenant, severity, raised time, and current status. This is your daily triage list. ### `cipp_list_audit_logs` ``` cipp_list_audit_logs(tenantFilter='contoso.onmicrosoft.com', startDate?, endDate?, userId?, operation?) ``` Tenant-scoped audit log entries from the M365 unified audit log. Filter by date range, user, or operation to narrow investigation scope. Use to investigate suspicious sign-ins, admin role changes, mailbox access, app consent grants, and policy modifications. ## Workflow patterns ### Daily alert triage 1. `cipp_list_alert_queue` — pull the full queue 2. Group by `tenant` + `alertType` to spot patterns (one tenant generating most alerts often signals a broken standard or runaway script) 3. Triage in severity order: critical → high → medium → low 4. For each alert: drill into the related tenant's audit logs with `cipp_list_audit_logs` filtered to the alert window ### Correlate alert → audit evidence ``` alerts = cipp_list_alert_queue() critical = [a for a in alerts if a['severity'] == 'critical'] for a in critical: logs = cipp_list_audit_logs( tenantFilter