Microsoft 365 Security in
Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.
Microsoft 365 Security Dashboards
Use the Microsoft 365 Security Dashboard to monitor security activity in your Microsoft 365 applications.
Active Directory
To access the Active Directory dashboard, do the following:
- From the menu bar, select Cloud Security.
- Click Microsoft 365.
- Click Active Directory.
The Active Directory Dashboard includes the following panels:
Panel | Source Type | Datamodel |
---|---|---|
Password Account Lockouts | o365:management:activity
|
n/a
|
Users with Enable vs. Disable MFA | o365:management:activity
|
n/a
|
Failed User Logins | o365:management:activity
|
n/a
|
Impossible Travel | o365:management:activity
|
n/a
|
Non-existent Accounts - Login Attempts | o365:management:activity
|
n/a
|
Added/Removed Members from Group | o365:management:activity
|
n/a
|
Exchange
To access the Exchange dashboard, do the following:
- From the menu bar, select Cloud Security.
- Click Microsoft 365.
- Click Exchange.
The Exchange Dashboard includes the following panels:
Panel | Source Type | Datamodel |
---|---|---|
Exchange Operations by Location | o365:management:activity
|
n/a
|
External Domain with Forwarding Policy | o365:management:activity
|
n/a
|
Mailbox Exports | o365:management:activity
|
n/a
|
Mailbox Forwarding Rules | o365:management:activity
|
n/a
|
FullAccess Permission changes | o365:management:activity
|
n/a
|
To access the OneDrive and SharePoint dashboard, do the following:
- From the menu bar, select Cloud Security.
- Click Microsoft 365.
- Click OneDrive and SharePoint.
The OneDrive and SharePoint Dashboard includes the following panels:
Panel | Source Type | Datamodel |
---|---|---|
Activity by Location | o365:management:activity
|
n/a
|
Operations over Time | o365:management:activity
|
n/a
|
Activity by User | o365:management:activity
|
n/a
|
Items Shared with External Users | o365:management:activity
|
n/a
|
Risky Downloads over Time | o365:management:activity
|
n/a
|
Permission Changes | o365:management:activity
|
n/a
|
Top SharePoint Sites Accessed | o365:management:activity
|
n/a
|
Security and Compliance
To access the Security and Compliance dashboard, do the following:
- From the menu bar, select Cloud Security.
- Click Microsoft 365.
- Click Security and Compliance.
The Security and Compliance Dashboard includes the following panels:
Panel | Source Type | Datamodel |
---|---|---|
Alerts over Time | o365:management:activity
|
n/a
|
Alerts by User | o365:management:activity
|
n/a
|
Alerts by Name | o365:management:activity
|
n/a
|
Alert Details | o365:management:activity
|
n/a
|
Filter your panel results
You can filter the results that you see in the dashboard panels.
Filter | Description |
---|---|
Time Range | Define the time range of a search with the time range picker. Even though you can change the time range for all the panels, the behavior is different for the Password Account Lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours. |
AWS Access Analyzer in | Viewing data from Splunk UBA in Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!