Splunk® Enterprise Security

Use Splunk Enterprise Security

Prerequisites to use Cloud Security dashboards

To onboard Cloud data sources and explore your Cloud Security environment by displaying visualizations of your Amazon Web Services (AWS) and Microsoft 365 environments using the Cloud Security dashboards, you must meet the following prerequisites:

If you are currently using the Amazon Web Services (AWS) and Microsoft 365 TAs, you can configure your existing indexes following these steps, instead of creating a new index.

  1. Create indexes to populate the Cloud Security dashboards. For more information on creating custom indexes, see Create custom indexes.
  2. Provide the index name in the Enterprise Security app settings following these steps:
    1. From the Splunk Enterprise Security menu, select Configure > General > General Settings.
      This displays the configuration settings of Splunk Enterprise Security by applications.
    2. Navigate to AWS Index or Microsoft 365. The default index value for the AWS Index is: aws_security and the default index value for the Microsoft 365 is o365_security.

      No indexes exist with the default names. You must create your own indexes to populate the Cloud Security dashboards and provide the name of the index field for both AWS Index and the MS 365 Index.

    3. Populate the index name in the app settings for AWS Index and Microsoft 365 Index.
  3. Install the Splunk Add-on for Amazon Kinesis Firehose and Splunk Add-on for Microsoft Office 365 from Splunkbase. Installing these add-ons helps to populate the Cloud Security dashboards and use them for insights into potential security issues such as errors, unusual events, unintended access, and suspicious activity.
  4. Configure the add-ons to send data to the Splunk platform and prepare the Splunk platform to receive the data.

Now you can use the visualizations on the following Cloud Security dashboards to explore your Amazon Web Services (AWS) and Microsoft 365 environments.

Risk factors enabled by default

You can modify the calculated score for AWS GuardDuty and Security Hub alert risk events.

The following risk factors are enabled by default:

  • The Critical Severity Alert risk factor increases the risk when the alert is critical severity.
  • The High Severity Alert risk factor increases the risk when the alert is high severity.
  • The Medium Severity Alert risk factor does not increase or decrease the risk when the alert is medium severity.
  • The Informational Severity Alert risk factor decreases the risk when the alert is informational severity.
  • The Low Severity Alert risk factor decreases the risk when the alert is low severity.

Learn more

Security Groups for your VPC in

User and Authentication Activity in

Network ACL Analytics in

AWS Access Analyzer in

Microsoft 365 Security in

Last modified on 19 January, 2022
Introduction to the dashboards available in Splunk Enterprise Security   Customize Splunk Enterprise Security dashboards to fit your use case

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters