Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Microsoft 365 Security in

Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.

Microsoft 365 Security Dashboards

Use the Microsoft 365 Security Dashboard to monitor security activity in your Microsoft 365 applications.

Active Directory

To access the Active Directory dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Active Directory.

The Active Directory Dashboard includes the following panels:

Panel Source Type Datamodel
Password Account Lockouts o365:management:activity n/a
Users with Enable vs. Disable MFA o365:management:activity n/a
Failed User Logins o365:management:activity n/a
Impossible Travel o365:management:activity n/a
Non-existent Accounts - Login Attempts o365:management:activity n/a
Added/Removed Members from Group o365:management:activity n/a

Exchange

To access the Exchange dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Exchange.

The Exchange Dashboard includes the following panels:

Panel Source Type Datamodel
Exchange Operations by Location o365:management:activity n/a
External Domain with Forwarding Policy o365:management:activity n/a
Mailbox Exports o365:management:activity n/a
Mailbox Forwarding Rules o365:management:activity n/a
FullAccess Permission changes o365:management:activity n/a

OneDrive and SharePoint

To access the OneDrive and SharePoint dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click OneDrive and SharePoint.

The OneDrive and SharePoint Dashboard includes the following panels:

Panel Source Type Datamodel
Activity by Location o365:management:activity n/a
Operations over Time o365:management:activity n/a
Activity by User o365:management:activity n/a
Items Shared with External Users o365:management:activity n/a
Risky Downloads over Time o365:management:activity n/a
Permission Changes o365:management:activity n/a
Top SharePoint Sites Accessed o365:management:activity n/a

Security and Compliance

To access the Security and Compliance dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Security and Compliance.

The Security and Compliance Dashboard includes the following panels:

Panel Source Type Datamodel
Alerts over Time o365:management:activity n/a
Alerts by User o365:management:activity n/a
Alerts by Name o365:management:activity n/a
Alert Details o365:management:activity n/a


Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Time Range Define the time range of a search with the time range picker.

Even though you can change the time range for all the panels, the behavior is different for the Password Account Lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours.

Last modified on 19 January, 2022
AWS Access Analyzer in   Viewing data from Splunk UBA in Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters