Prerequisites to use Cloud Security dashboards
To onboard Cloud data sources and explore your Cloud Security environment by displaying visualizations of your Amazon Web Services (AWS) and Microsoft 365 environments using the Cloud Security dashboards, you must meet the following prerequisites:
If you are currently using the Amazon Web Services (AWS) and Microsoft 365 TAs, you can configure your existing indexes following these steps, instead of creating a new index.
- Create indexes to populate the Cloud Security dashboards. For more information on creating custom indexes, see Create custom indexes.
- Provide the index name in the Enterprise Security app settings following these steps:
- From the Splunk Enterprise Security menu, select Configure > General > General Settings.
This displays the configuration settings of Splunk Enterprise Security by applications. - Navigate to AWS Index or Microsoft 365.
The default index value for the AWS Index is:
aws_security
and the default index value for the Microsoft 365 iso365_security
.No indexes exist with the default names. You must create your own indexes to populate the Cloud Security dashboards and provide the name of the index field for both AWS Index and the MS 365 Index.
- Populate the index name in the app settings for AWS Index and Microsoft 365 Index.
- From the Splunk Enterprise Security menu, select Configure > General > General Settings.
- Install the Splunk Add-on for Amazon Kinesis Firehose and Splunk Add-on for Microsoft Office 365 from Splunkbase.
- For more information on installing the add-on, see Splunk Add-on for Amazon Kinesis Firehose
- For more information on installing the add-on, see Splunk Add-on for Microsoft Office 365
- Configure the add-ons to send data to the Splunk platform and prepare the Splunk platform to receive the data.
- For more information on configuring Splunk Add-on for Amazon Kinesis Firehose, see Configure Firehose.
- For more information on configuring Splunk Add-on for Microsoft 365, see Configure Microsoft 365
Now you can use the visualizations on the following Cloud Security dashboards to explore your Amazon Web Services (AWS) and Microsoft 365 environments.
Risk factors enabled by default
You can modify the calculated score for AWS GuardDuty and Security Hub alert risk events.
The following risk factors are enabled by default:
- The Critical Severity Alert risk factor increases the risk when the alert is critical severity.
- The High Severity Alert risk factor increases the risk when the alert is high severity.
- The Medium Severity Alert risk factor does not increase or decrease the risk when the alert is medium severity.
- The Informational Severity Alert risk factor decreases the risk when the alert is informational severity.
- The Low Severity Alert risk factor decreases the risk when the alert is low severity.
Learn more
Security Groups for your VPC in
Introduction to the dashboards available in Splunk Enterprise Security | Customize Splunk Enterprise Security dashboards to fit your use case |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!