Content Pack for Microsoft 365

Content Pack for Microsoft 365

This documentation does not apply to the most recent version of Content Pack for Microsoft 365. For documentation on the most recent version, go to the latest release.

Use the Content Pack for Microsoft 365

Once you install the Content Pack for Microsoft 365 and configure the Splunk Add-on for Microsoft Office 365 to collect data, you can use the content pack to monitor your Microsoft 365 environment.

The content pack includes the following views into the different layers of your Microsoft 365 services:

  • Glass Tables: Visualize and monitor the interrelationships and dependencies across your services.
  • Service Analyzer: Provides real-time visibility into the health of your service components.
  • Entity Health page: Group and analyze entities receiving data from Microsoft 365.

Monitor your overall Microsoft 365 environment

The content pack includes several preconfigured Glass Tables that give you a real-time overview of what's going on in your Microsoft 365 environment.

The following image shows the M365 Overview Dashboard:

This image shows the Glass Table called the M365 Overview Dashboard, populated with example data. This Glass Table provides visibility of top-level service health as well as base metrics for the top services in your Microsoft 365 environment. The view is made up of several panels including Incidents, Portal Latency, and KPIs.

Microsoft 365 Glass Tables

The following Glass Tables are included in the content pack:

You must install the Splunk Add-on for Microsoft Exchange for the Exchange and 365 Glass Table to display Microsoft Exchange data. See Install and configure the Content Pack for Microsoft Exchange.

Glass Table Description
Exchange & 365 Glass Table [Executive Overview] This combined executive overview contains executive-level metrics for Microsoft 365 and Microsoft Exchange. This view enables your IT operations team to drill down into the individual services in each area. Click any abnormal service health score to open and investigate it in the Service Analyzer.
M365 Executive Overview

This executive overview contains executive-level metrics to illustrate the service levels you're delivering. This view displays the availability and performance of major areas of Microsoft 365, including OneDrive, Sharepoint, Teams, Yammer, and Exchange. This view enables your IT Operations team to drill down into the individual services in each area. Click any abnormal service health score to open and investigate it in the Service Analyzer.

M365 Incident and Message Dashboard The Incident and Message view provides visibility across your services and displays trends for each incident, enabling you to proactively communicate about activities and events that impact customer experience. The glass table also displays the most recent incidents affecting your services, and recent messages.
M365 Overview Dashboard This view provides visibility of top-level service health as well as base metrics for the top services in Microsoft 365 such as Exchange, OneDrive, SharePoint, Yammer, PowerBI, and Teams, enabling you to remediate outages or investigate low service health scores. You can also view security metrics and login success and failure trends in a single view.
M365 Security Dashboard - Overview The security view highlights metrics that track suspicious activities, unusual emails, and login anomalies to help you detect security threats to your environment. You can drill down into specific security anomalies using the Service Analyzer.
M365 Security Dashboard - Threat Detection The threat detection view provides a high-level view into potential security threats to your environment, such as authorization/login anomalies, suspicious user activities, and malware detection. You can drill down into specific security anomalies using the Service Analyzer.
M365 Security Dashboard - Threat Management Track and manage suspicious activities, such as emails reported as phishing attempts or security and compliance issues. You can drill down into specific anomalies using the Service Analyzer.

Monitor Microsoft 365 services

The M365 Service Analyzer provides instant, real-time visibility into the health of your Microsoft 365 environment and all its components, with granular composite health scores across the entire service path. Use the Service Analyzer to quickly detect service anomalies based on visibility into the health of each one of the service components that affect your overall performance including SharePoint, PowerBI, OneDrive, and Exchange.

The M365 Service Analyzer is a premium feature of the content pack and only available for ITSI users.

To access the custom Service Analyzer view, perform the following steps:

  1. From the ITSI main menu, click Service Analyzer > Analyzers.
  2. Select M365 Service Analyzer from the list of analyzers.
  3. Leverage the available fields at filters at the top of the page to curate the content displayed.

Any critical or high severity episodes associated with the service are displayed in the side panel. Click View All to view all associated episodes in Episode Review.

The following image shows the tree view for the Service Analyzer:

This image shows the M365 Service Analyzer which is accessible from the ITSI main menu. This image is populated with example data and shows the Top 50 Services with corresponding and color coded health scores.

Monitor Microsoft 365 alerts

Some services in the Content Pack for Microsoft 365 are configured to generate notable events when aggregate KPI threshold values reach specific levels. The default aggregation policy then groups these events into meaningful episodes in Episode Review.

To monitor and investigate all episodes in your Microsoft 365 environment, navigate to Episode Review. You can drill down into individual episodes to perform more granular root cause analysis, such as viewing an events timeline or examining common fields. You can then take specific actions on these episodes such as pinging a host, sending an email, or creating a ticket in ServiceNow or Remedy.

For more information on using Episode Review, see Overview of Episode Review in ITSI in the Event Analytics Manual.

Monitor Microsoft 365 entities

The content pack includes the following entity types that group entities originating from Microsoft 365:

  • ITSI Import Objects - M365 Tenants
  • ITSI Import Objects - Power BI Workspaces
  • ITSI Import Objects - Sharepoint Sites

The entity types contain a set of vital metrics, which are statistical calculations based on SPL searches that represent the overall health of entities of that type.

To view the Entity Health page for the entity types, perform the following steps:

  1. From the ITSI or IT Essentials Work main menu, click Infrastructure Overview.
  2. In the Group by drop-down, choose Entity Type.
  3. Select one of the Microsoft 365 entity types to drill down into its vital metrics.

For more information about entity types and vital metrics, see Overview of entity types in ITSI in the Entity Integrations Manual.

Vital metrics for M365 Tenants

The following table lists the vital metrics for the M365 Tenants entity type:

Vital metric Description
Azure Active Users Displays count of distinct active users in Azure Entra ID (formerly Azure AD), with a span of 10 minutes
Exchange Active Users Displays count of distinct active users in Exchange, with a span of 10 minutes
Microsoft Teams Active Users Displays count of distinct active users in Microsoft Teams, with a span of 10 minutes
OneDrive Active Users Displays count of distinct active users in OneDrive, with a span of 10 minutes
Sharepoint Active Users Displays count of distinct active users in Sharepoint, with a span of 10 minutes
Yammer Active Users Displays count of distinct active users in Yammer, with a span of 10 minutes

Vital metrics for Power BI Workspaces

The following table lists the vital metrics for the Power BI Workspaces entity type:

Vital metric Description
Dashboard Views Displays count of dashboard views in each Power Bi Workspace, with a span of 10 minutes
Report Views Displays count of report views in each Power Bi Workspace, with a span of 10 minutes
Report Creations Displays count of report creations in each Power Bi Workspace, with a span of 10 minutes
Dataset Creations Displays count of dataset creations in each Power Bi Workspace, with a span of 10 minutes

Vital metrics for Sharepoint Sites

The following table lists the vital metrics for the Sharepoint Sites entity type:

Vital metric Description
Page Views Count Displays page view count in each Sharepoint site, with a span of 10 minutes
Distinct User Page View Count Displays count of distinct users that viewed a page in each Sharepoint site, with a span of 10 minutes
File Accessed Count Displays count of files accessed in each Sharepoint site, with a span of 10 minutes
Distinct User File Accessed Count Displays count of distinct users that accessed a file in each Sharepoint site, with a span of 10 minutes

Entity dashboards

You can select an individual entity on the Entity Health page to drill down further into its performance metrics and log events. The Event Data Search dashboard displays the most recent log events associated with an entity over the last hour. The Analytics dashboard lets you view the trend of data coming in from each host by source type in a single snapshot.

To learn more about the available entity dashboards, see the following resources:

Microsoft 365 dashboards

The Content Pack for Microsoft 365 includess several dashboards. These dashboards cover a variety of use cases and enable you to view activity across all of your services.

The following image shows the M365 Security Alerts Overview dashboard:

This image shows the M365 Security Alerts Overview dashboard, populated with example data. Fields at the top of the dashboard enable users to curate the content displayed on the dashboard panels. On this dashboard there are panels with data visualized as a pie chart and line graph to show alert related information.

Available dashboards

The content pack ships with the following dashboards:

  • M365 Azure Active Directory Overview
  • M365 Usage & Adoption
  • M365 Overview
  • M365 User Audit
  • M365 Exchange Overview
  • M365 OneDrive Overview
  • M365 OneDrive File Investigator
  • M365 Teams Overview
  • M365 Teams Activity Audit
  • M365 Teams Security Monitoring
  • M365 PowerBI Overview
  • M365 Sharepoint Overview
  • M365 Security Alerts Overview

Access the dashboards

Perform the following steps to access the dashboards:

  1. Log into Splunk Web.
  2. Select App > IT Service Intelligence or IT Essentials Work.
  3. From the navigation bar, select Dashboards > Dashboards to see the list of dashboards.
  4. In the App column, dashboards listed as DA-ITSI-CP-m365 are part of the Content Pack for Microsoft 365.
Last modified on 30 January, 2024
Install and configure the Content Pack for Microsoft 365   KPI reference for the Content Pack for Microsoft 365

This documentation applies to the following versions of Content Pack for Microsoft 365: 1.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters