Content Pack for Microsoft 365

Content Pack for Microsoft 365

This documentation does not apply to the most recent version of Content Pack for Microsoft 365. For documentation on the most recent version, go to the latest release.

KPI reference for the Content Pack for Microsoft 365

The following tables list the KPIs used to monitor the health of your servers in the Content Pack for Microsoft 365. All parent and child services report up to the overall M365 service at the highest level. All KPIs in this content pack have a 15-minute schedule and 15-minute lookback time.

M365_App Availability

This service contains the KPIs for the availability of Microsoft 365 Applications.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption This status displays when an issue affects the ability for users to access the service. The issue is significant and can be consistently reproduced.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureActiveDirectory

This service contains services and KPIs for Azure Entra ID (formerly Azure Active Directory).

M365_AzureAD_Availability

This service contains KPIs for the availability of Azure Active Directory.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureAD_Performance

This service includes services and KPIs for the performance of application, directory, group, login, role and user activity in Azure Active Directory.

Service KPI Description
M365_AzureAD_Application Administration Activities Added credentials to a service principal Credentials were added to a service principal in Azure Entra ID (formerly Azure AD). A service principle represents an application in the directory.
Added delegation entry An authentication permission was created/granted to an application in Azure Entra ID.
Added service principal An application was registered in Azure Entra ID. An application is represented by a service principal in the directory.
Removed a service principal from the directory An application was deleted/unregistered from Azure Entra ID. An application is represented by a service principal in the directory.
Removed credentials from a service principal Credentials were removed from a service principal in Azure Entra ID. A service principle represents an application in the directory.
Removed delegation entry An authentication permission was removed from an application in Azure Entra ID.
Set delegation entry An authentication permission was updated for an application in Azure Entra ID.
M365_AzureAD_Directory Administration Activities Added a partner to the directory Added a partner (delegated administrator) to your organization.
Added domain to company Added a domain to your organization.
Removed a partner from the directory Removed a partner (delegated administrator) from your organization.
Removed domain from company Removed a domain from your organization.
Set company information Updated the company information for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
Set domain authentication Changed the domain authentication setting for your organization.
Set password policy Changed the length and character constraints for user passwords in your organization.
Turned on Azure AD sync Set the property that enables a directory for Azure AD Sync.
Updated domain Updated the settings of a domain in your organization.
Updated the federation settings for a domain Changed the federation (external sharing) settings for your organization.
Verified domain Verified that your organization is the owner of a domain.
Verified email verified domain Used email verification to verify that your organization is the owner of a domain.
M365_AzureAD_Group Administration Activities Added group A group was created.
Added member to group A member was added to a group.
Deleted group A group was deleted.
Removed member from group A member was removed from a group.
Updated group A property of a group was changed.
M365_AzureAD_Login Activity Authentication Methods Authentications methods used to login
Distinct User Sign-ins Count of distinct user logins.
Logins by Region Logins by Country.
Logon Errors Errors occurred when user attempted to login.
Operation-UserLoggedIn Shows count of successfully logged in users by IP address.
Operation-UserLoginFailed Shows count of users who failed to log in users by IP address.
Risky Login Event Types Risk detection types associated with the sign-in.
Successful Logins from External Users Successful logins from users outside organization.
User Agents User agents of users when logging in.
User Types Type of user.
M365_AzureAD_Role Administration Activities Add member to Role Added a user to an admin role in Microsoft 365.
Removed a user from a directory role Removed a user from an admin role in Microsoft 365.
Set company contact information Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.
M365_AzureAD_User Administration Activities Added user A user account was created.
Changed user license The license assigned to a user changed.
Changed user password A user changes their password.
Deleted user A user account was deleted.
Reset user password Administrator resets the password for a user.
Set license properties Administrator modifies the properties of a licensed assigned to a user.
Set property that forces user to change password Administrator set the property that forces a user to change their password the next time the user signs in to Office 365.
Updated user Administrator changes one or more properties of a user account.

M365_Exchange

This service contains services and KPIs for Microsoft 365 Exchange.

KPI Description
M365_Exchange Online Microsoft Exchange status.

M365_Exchange_Availability

This service contains KPIs for the availability of Microsoft 365 Exchange.

KPI Description
_Advisory KPI showing Advisory information related to O365 Exchange.
_Incident KPI showing Incident related to O365 Exchange.
_Plan for Change Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Exchange service.
_Prevent or Fix Issues Informs users of known issues affecting the organization, and may require them to take action to avoid disruptions in Exchange service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Exchange Roadmap.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Exchange_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Exchange.

KPI Description
GT_Exchange_ActiveMailboxes Count of currently active mailboxes.
GT_Exchange_MailboxLogins Count of mailbox logins by users.
GT_Exchange_MailboxStorageUsage Total Mailbox storage used (GB).
GT_Exchange_ReceivedEmailCount Count of total emails received.
GT_Exchange_TotalMailboxes Count of mailboxes.
GT_Exchange_TotalUniqueUsers Total unique users for Exchange.

M365_Exchange_Performance

This service contains KPIs for the performance of Microsoft 365 Exchange.

KPI Description
Archive Quota KPI shows the Exchange Archive Quota, subscribers are often limited to 50GB
Archive Warning Quota KPI shows the Exchange Archive Warning Quota, as you are approaching the limited archive space
Issue Warning Quota This is the maximum storage limit before a warning is issued to the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning message to the user.
Operations KPI which aggregates several critical indicators of performance.
Prohibit Send Quota If the mailbox size reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and displays a descriptive error message.
Prohibit Send Receive Quota If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and won't deliver any new messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a descriptive error message.
Public Folder Hierarchy Mailbox Count Quota Count of total public folders in the hierarchy of the mailbox.
Recoverable Items Quota This is the storage quota for the Recoverable Items folder, not the quota for the entire archive mailbox.
Recoverable Items Warning For mailboxes that aren't placed on In-Place Hold or Litigation Hold, the Managed Folder Assistant automatically purges items from the Recoverable Items folder when the deleted item retention period expires. If the folder reaches the Recoverable Items warning quota, the assistant automatically purges items in first-in-first-out order.

M365_OneDrive

This service contains services and KPIs for Microsoft OneDrive.

M365_OneDrive_Availability

This service contains KPIs for the availability of Microsoft OneDrive.

KPI Description
_Advisory KPI showing Advisory information related to O365 OneDrive.
_Incident KPI showing Incidents related to O365 OneDrive.
_Plan for Change Informs users of changes to Microsoft 365 that may require them to avoid disruptions in OneDrive service.
_Prevent or Fix Issues Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in OneDrive service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 OneDrive Roadmap.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state..
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_OneDrive_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft OneDrive.

KPI Description
GT_OneDrive_ActiveFiles Total active files from the OneDrive for the last 7 day reporting period.
GT_OneDrive_StorageAllocated The total storage allocated for OneDrive sites.
GT_OneDrive_StorageUsed The total storage used for OneDrive sites.
GT_OneDrive_TotalFiles The latest reported total file count for OneDrive sites.
GT_OneDrive_TotalUniqueUsers Total unique users for OneDrive.
GT_OneDrive_UsagePercent Percent of storage usage from the total of storage allocated.

M365_OneDrive_Performance

This service contains KPIs for the performance of Microsoft OneDrive.

KPI Description
Operations KPI which aggregates several critical indicators of performance.

M365_PowerBI

This service contains services and KPIs for Microsoft PowerBI.

M365_PowerBI_Availability

This service contains KPIs for the availability of Microsoft PowerBI.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_PowerBI_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft PowerBI.

KPI Description
GT_PowerBI_TotalDashboards Total number of dashboards in PowerBI.
GT_PowerBI_TotalDatasets Total of datasets in PowerBI
GT_PowerBI_TotalReports Total of reports in PowerBI.
GT_PowerBI_TotalUniqueUsers Total unique users for PowerBI.
GT_PowerBI_TotalWorkspaces Total number of workspaces in PowerBI.

M365_PowerBI_Performance

This service contains KPIs for the performance of Microsoft PowerBI.

KPI Description
All Activities All user activities in PowerBI.
Created PowerBI dashboard A user created a PowerBI dashboard.
Created PowerBI dataflow A user created a PowerBI dataflow.
Created PowerBI dataset A user created a PowerBI dataset.
Created PowerBI report A user created a PowerBI report.
Deleted PowerBI comment A user deleted a PowerBI comment.
Deleted PowerBI dashboard A user deleted a PowerBI dashboard.
Deleted PowerBI dataset A user deleted a PowerBI dataset.
Deleted PowerBI report A user deleted a PowerBI report.
Downloaded PowerBI report A user downloaded a PowerBI report.
Edited PowerBI dataset A user edited a PowerBI dataset.
Edited PowerBI report A user edited a PowerBI report.
Exported PowerBI dataflow A user exported PowerBI report visual data.
Exported PowerBI report visual data A user exported PowerBI report visual data.
Exported PowerBI tile data A user exported PowerBI tile data.
Imported file to PowerBI A user imported a file to PowerBI.
Installed PowerBI app A user installed the PowerBI app.
Posted PowerBI comment A user posted PowerBI comment.
Printed PowerBI dashboard A user printed a PowerBI dashboard.
Printed PowerBI report page A user printed a PowerBI report page.
Published PowerBI report to web A user printed a PowerBI report to the web.
Requested PowerBI dataset refresh A user requested a PowerBI dataset refresh.
Set dataflow storage location for a workspace A user set a dataflow storage location for a workspace.
Set scheduled refresh on Power BI dataflow A user set a scheduled refresh on a Power BI dataflow.
Set scheduled refresh on Power BI dataset A user set a scheduled refresh on a Power BI dataset.
Shared Power BI dashboard A user shared aPower BI dashboard.
Shared Power BI report A user shared a Power BI report.
Updated Power BI app A user updated a Power BI app.
Viewed Power BI dashboard A user viewed a Power BI dashboard.
Viewed Power BI dataflow A user viewed aPower BI dataflow.
Viewed Power BI report A user viewed a Power BI report.

M365_Security

This service contains triggered security alerts from Security & Compliance Center and Cloud App Security.

M365_Cloud App Security

This service contains triggered security alerts from built-in policies in Cloud App Security.

Service KPI Description
M365_Cloud Discovery Cloud Discovery anomaly detection This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses and services.
Any popular app Alert on newly discovered apps that are used by more than 1 users.
M365_Threat Detection Activity from anonymous IP addresses This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device's IP address, and may be used for malicious intent.
Activity from infrequent country This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. Detecting anomalous locations necessitates an initial learning period of 7 days, during which it does not alert on any new locations.
Activity from suspicious IP addresses This policy profiles your environment and triggers alerts when activity is detected from an IP address that has been identified as risky by Microsoft Threat Intelligence. These IP are involved in malicious activities, such as botnets C&C, and may indicate a compromised account.
Activity performed by terminated user This policy profiles your environment and alerts when a terminated user performs an activity in a sanctioned corporate application.
Data exfiltration to unsanctioned apps This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfilitrate information from your organization.
Impossible travel This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials.
Leaked credentials When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market.
Malicious OAuth app consent This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.
Malware detection This detection scans files in your cloud apps and runs suspicious files through Microsoft's threat intelligence engine to determine whether they are associated with known malware.
Misleading OAuth app name This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading name is detected. Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app.
Misleading publisher name for an OAuth app This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading publisher name is detected.
Multiple delete VM activities This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple failed login attempts This policy profiles your environment and triggers alerts when users perform multiple failed login activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple storage deletion activities This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple VM creation activities This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Preview: Investigation Priority Score Increased Identify malicious insider or compromised user by identifying entities which deviates from their profile baseline.
Preview: Multiple Power BI report sharing activities This policy profiles your environment and triggers alerts when users perform multiple share report in Power BI activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Preview: Suspicious change of CloudTrail logging service This policy profiles your environment and triggers alerts when a user performs suspicious changes to the CloudTrail logging service in a single session, which could indicate an attempted breach.
Preview: Suspicious Power BI report sharing This policy profiles your environment and triggers alerts when a user shared a Power BI report that may include sensitive information and may indicate a compromised account. The report was either shared with an external email address, published to the web, a snapshot was delivered to an externally subscribed email address.
Ransomware activity This policy profiles your environment and triggers alerts when an activity pattern is detected that is typical of a ransomware attack.
Risky sign-in Azure Active Directory (Azure AD) detects suspicious actions that are related to your user accounts.
Suspicious email deletion activity (by user) This policy profiles your environment and triggers alerts when a user performs suspicious email deletion activities in a single session, which could indicate an attempted breach.
Suspicious inbox forwarding This policy profiles your environment and triggers alerts when suspicious inbox forwarding rules are set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to exfiltrate information from your organization.
Suspicious inbox manipulation rule A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.
Suspicious OAuth app file download activities This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user.
Unusual addition of credentials to an OAuth app This detection policy profiles your environment and triggers alerts when users perform unusual addition of credentials to an OAuth app activities, which could indicate an attempted breach.
Unusual administrative activity (by user) This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file deletion activity (by user) This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file download (by user) This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file share activity (by user) This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual impersonated activity (by user) This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.

M365_Security and Compliance Alerts

This service contains triggered security alerts from Security & Compliance Center.

Service KPI Description
M365_Information governance Unusual external user file activity Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization.
Unusual volume of external file sharing Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization.
Unusual volume of file deletion Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame.
M365_Mail flow Messages have been delayed Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector.
M365_Permissions Elevation of Exchange admin privilege Generates an alert when someone is assigned administrative permissions in your Exchange Online organization.
M365_Threat management A potentially malicious URL click was detected Generates an alert when a user protected by Safe Links in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy).
Admin Submission Result Completed Generates an alert when an Admin Submission completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission.
Admin triggered manual investigation of email Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer.
Creation of forwarding/redirect rule Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account.
eDiscovery search started or exported Generates an alert when someone uses the Content search tool in the Security and compliance center.
Email messages containing malicious file removed after delivery​ Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization.
Email messages containing malicious URL removed after delivery​ Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization.
Email messages containing malware removed after delivery​ Generates an alert when any messages containing malware are delivered to mailboxes in your organization.
Email messages containing phish URLs removed after delivery Generates an alert when any messages containing phish are delivered to mailboxes in your organization.
Email reported by user as malware or phish Generates an alert when users in your organization report messages as phishing email using the Report Message add-in.
Email sending limit exceeded Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy.
Failed exact data match upload Generates an alert when new sensitive information failed to upload.
Form blocked due to potential phishing attempt Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.
Form flagged and confirmed as phishing Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft.
Malware campaign detected after delivery Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization.
Malware campaign detected and blocked Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization.
Malware campaign detected in SharePoint and OneDrive Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization.
Malware not zapped because ZAP is disabled Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
MIP AutoLabel simulation completed Generates an alert when AutoLabel policy simulation has been completed.
Phish delivered because a user's Junk Mail Folder is disabled Generates an alert when Microsoft detects a user's Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox.
Phish delivered due to an ETR override Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox.
Phish delivered due to an IP allow policy Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox.
Phish not zapped because ZAP is disabled Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
Remediation action taken by admin on emails or URLs or sender Generates an alert when an admin takes remediation action on the selected entity.
Successful exact data match upload Generates an alert when new sensitive information is uploaded and is ready to be protected.
Suspicious Email Forwarding Activity Generates an alert when someone in your organization has autoforwarded email to a suspicious external account.
Suspicious email sending patterns detected Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email.
Tenant restricted from sending email Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
Tenant restricted from sending unprovisioned email Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
Unusual increase in email reported as phish Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail.
User restricted from sending email Generates an alert when someone in your organization is restricted from sending outbound mail.
User restricted from sharing forms and collecting responses Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.

M365_SharePoint_Online

This service contains services and KPIs for Microsoft SharePoint Online.

M365_SharePoint_Online_Availability

This service contains KPIs for the availability of Microsoft SharePoint Online.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_SharePoint_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft SharePoint Online.

Service KPI Description
GT_SharePoint_ActiveFiles Total active files from the SharePoint site for the last 7 day reporting period.
GT_SharePoint_StorageAllocation The total storage allocated for share point sites.
GT_SharePoint_StorageUsed The total storage used for share point sites.
GT_SharePoint_TotalFiles The latest reported total file count for share point sites.
GT_SharePoint_TotalUniqueUsers Total unique users for SharePoint.
GT_SharePoint_UsagePercent Percent of storage usage from the total of storage allocated.

M365_SharePoint_Online_Performance

This service contains KPIs for the performance of Microsoft SharePoint Online.

Service KPI Description
M365_SharePoint_Online_File and Page Activities Accessed file User or system accessed a file.
Changed record status to locked The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Changed record status to unlocked The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Changed retention label for a file A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
Checked in file User checked in a document that they checked out from a document library.
Checked out file User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them
Copied file User copied a document from a site. The copied file can be saved to another folder on the site.
Deleted file User deletes a document from a site.
Deleted file from recycle bin User deleted a file from the recycle bin of a site.
Deleted file from second-stage recycle bin User deleted a file from the second-stage recycle bin of a site.
Deleted file marked as a record A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
Deleted document sensitivity mismatch User uploaded a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site.
Detected malware in file SharePoint anti-virus engine detected malware in a file.
Discarded file checkout User discarded (or undid) a checked out file. That means any changes they made to the file when it was checked out are discarded and not saved to the version of the document in the document library.
Downloaded file User downloaded a document from a site.
Modified file User or system account modified the content or the properties of a document on a site.
Moved file User moved a document from its current location on a site to a new location.
Page View Count Number of page views.
Performed search query User or system account performed a search in SharePoint.
Recycled all minor versions of file User deleted all minor versions from the version history of a file.
Recycled all versions of file User deleted all versions from the version history of a file.
Recycled version of file User deleted a version from the version history of a file.
Renamed file User renamed a document on a site.
Restored file User restored a document from the recycle bin of a site.
Uploaded file User uploaded a document to a folder on a site.
Users that Accessed File Detected with Malware Users that accessed file detected with malware.
View signaled by client A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user.
M365_SharePoint_Online_Site Administration Activities Added allowed data location A SharePoint or global administrator added an allowed data location in a multi-geo environment.
Added exempt user agent A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
Added geo location admin A SharePoint or global administrator added a user as a geo admin of a location.
Added user to create groups Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
Canceled site geo move A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move.
Changed a sharing policy A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin portal, SharePoint admin portal, or SharePoint Online Management Shell.
Changed device access policy A SharePoint or global administrator changed the unmanaged devices policy for your organization.
Changed exempt user agents A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center.
Changed network access policy A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell
Changed site geo move A site geo move that was scheduled by a global administrator in your organization was successfully completed.
Created Sent To connection A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center.
Created site collection A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
Deleted orphaned hub site A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it.
Deleted Sent To connection A SharePoint or global administrator deleted a Sent To connection on the Records management page in the SharePoint admin center.
Deleted site Site administrator deleted a site.
Enabled document preview Site administrator enabled document preview for a site.
Enabled legacy workflow Site administrator or owner added the SharePoint 2013 Workflow Task content type to the site.
Enabled Office on Demand Site administrator enabled Office on Demand, which lets users access the latest version of Office desktop applications.
Enabled result source for People Searches Site administrator created the result source for People Searches for a site.
Enabled RSS feeds Site administrator or owner enabled RSS feeds for a site.
Joined site to hub site A site owner associated their site with a hub site.
Registered hub site A SharePoint or global administrator created a hub site.
Removed allowed data location A SharePoint or global administrator removed an allowed data location in a multi-geo environment.
Removed geo location admin A SharePoint or global administrator removed a user as a geo admin of a location.
Renamed site Site administrator or owner renamed a site.
Scheduled site to geo move A SharePoint or global administrator successfully scheduled a SharePoint site geo move.
Set host site A SharePoint or global administrator changed the designated site to host personal.
Set storage quote for geo location A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
Unjoined site from hub site A site owner disassociated their site from a hub site.
Unregistered hub site A SharePoint or global administrator unregistered a site as a hub site.
M365_SharePoint_Online_Sharing and Request Activities Accepted access request An access request to a site, folder, or document was accepted and the requesting user has been granted access.
Accepted sharing invitation User (member or guest) accepted a sharing invitation and was granted access to a resource.
Added permission level to site collection A permission level was added to a site collection.
Blocked sharing invitation A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user
Created a company shareable link User created a company-wide link to a resource.
Created access request User requests access to a site, folder, or document they don't have permissions to access.
Created an anonymous link User created an anonymous link to a resource.
Created secure link A secure sharing link was created to this item.
Created sharing invitation User shared a resource in SharePoint Online with a user who isn't in your organization's directory.
Deleted secure link A secure sharing link was deleted.
Denied access request An access request to a site, folder, or document was denied.
Removed a company shareable link User removed a company-wide link to a resource. The link can no longer be used to access the resource.
Removed an anonymous link User removed an anonymous link to a resource. The link can no longer be used to access the resource.
Shared file, folder, or site User (member or guest) shared a file, folder, or site in SharePoint with a user in your organization's directory.
Unshared file, folder, or site User (member or guest) unshared a file, folder, or site that was previously shared with another user.
Updated access request An access request to an item was updated.
Updated an anonymous link User updated an anonymous link to a resource.
Updated sharing invitation An external sharing invitation was updated.
Used a company shareable link User accessed a resource by using a company-wide link.
Used an anonymous link An anonymous user accessed a resource by using an anonymous link.
Used secure link A user used a secure link.
User added to secure link A user was added to the list of entities who can use a secure sharing link.
User removed from secure link A user was removed from the list of entities who can use a secure sharing link.
Withdrew sharing invitation User withdrew a sharing invitation to a resource.
M365_SharePoint_Online_Site Permissions Added site collection admin Total number of files active in OneDrive.
Added user or group to SharePoint group User added a member or guest to a SharePoint group
Broke permission level inheritance An item was changed so that it no longer inherits permission levels from its parent.
Broke sharing inheritance An item was changed so that it no longer inherits sharing permissions from its parent.
Created group Site administrator or owner creates a group for a site, or performs a task that results in a group being created.
Deleted group User deletes a group from a site.
Modified 'Members Can Share' setting The Members Can Share setting was modified on a site.
Modified access request setting The access request settings were modified on a site.
Modified permission level on a site collection A permission level was changed on a site collection.
Modified site permissions Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site.
Removed permission level from site collection A permission level was removed from a site collection.
Removed site collection admin Site collection administrator or owner removes a person as a site collection administrator for a site.
Removed user or group from SharePoint group User removed a member or guest from a SharePoint group.
Requested site admin permissions User requests to be added as a site collection administrator for a site collection.
Restored sharing inheritance A change was made so that an item inherits sharing permissions from its parent.
Updated group Site administrator or owner changes the settings of a group for a site.
M365_SharePoint_Usage Details % Free Storage % of free storage available.
Active File Count A file is considered active if it has been saved, synced, modified or share.
Page View Count Count of page views.
Total File Count Total number of files.

M365_Teams

This service contains services and KPIs for Microsoft Teams.

M365_Teams_Availability

This service contains KPIs for the availability of Microsoft Teams.

KPI Description
_Advisory KPI showing Advisory information related to O365 Teams.
_Incident KPI showing Incident related to O365 Teams.
_Plan for Change Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Teams service.
_Prevent or Fix Issues Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in Teams service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Teams Roadmap.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Teams_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Teams.

KPI Description
GT_Teams_SessionsStarted Number of Teams sessions started.
GT_Teams_TeamsCreated Count of new teams created.
GT_Teams_TeamsDeleted Count of teams that were deleted.
GT_Teams_TotalUniqueUsers Total count of unique users for Teams.
GT_Teams_UniqueTeams Total count of unique teams.

M365_Teams_Performance

This service contains KPIs for the performance of Microsoft Teams.

KPI Description
Operations KPI which aggregates several critical indicators of performance.

M365_Yammer

This service contains services and KPIs for Microsoft Yammer.

M365_Yammer_Availability

This service contains KPIs for the availability of Microsoft Yammer.

KPI Description
_Advisory KPI showing Advisory information related to O365 Yammer.
_Incident KPI showing Incidents related to O365 Yammer.
_Plan for Change Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Yammer service.
_Prevent or Fix Issues Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in Yammer service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Yammer Roadmap.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Yammer_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Yammer.

KPI Description
GT_Yammer_ActiveGroups The total active Yammer groups reported in the last 7 days.
GT_Yammer_PostedMessageCount The total posted message count from the Yammer tenant in the last seven day reporting period.
GT_Yammer_TotalGroups The latest reported total number Yammer groups.
GT_Yammer_TotalUniqueUsers Total unique users for Yammer.

M365_Yammer_Performance

This service contains KPIs for the performance of Microsoft Yammer.

KPI Description
Operations KPI which aggregates several critical indicators of performance.
Last modified on 30 January, 2024
Use the Content Pack for Microsoft 365  

This documentation applies to the following versions of Content Pack for Microsoft 365: 1.1.0, 1.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters