Microsoft 365 security dashboard
Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.
Active Directory
To access the Active Directory dashboard, do the following:
- From the menu bar, select Analytics and then Cloud security.
- Select Microsoft 365.
- Select Active Directory.
The Active Directory dashboard includes the following panels:
| Panel | Source Type | Datamodel |
|---|---|---|
| Password account lockouts | o365:management:activity
|
n/a
|
| Users with enable vs. disable MFA | o365:management:activity
|
n/a
|
| Failed user logins | o365:management:activity
|
n/a
|
| Impossible travel | o365:management:activity
|
n/a
|
| Added or removed bembers from group | o365:management:activity
|
n/a
|
Exchange
To access the Exchange dashboard, do the following:
- From the menu bar, select Analytics and then Cloud security.
- Select Microsoft 365.
- Select Exchange.
The Exchange dashboard includes the following panels:
| Panel | Source Type | Datamodel |
|---|---|---|
| Exchange operations | o365:management:activity
|
n/a
|
| External domain with forwarding policy | o365:management:activity
|
n/a
|
| Mailbox exports | o365:management:activity
|
n/a
|
| Mailbox forwarding rules | o365:management:activity
|
n/a
|
| Full access permission changes | o365:management:activity
|
n/a
|
To access the OneDrive and SharePoint dashboard, do the following:
- From the menu bar, select Analytics and then Cloud security.
- Select Microsoft 365.
- Select OneDrive and SharePoint.
The OneDrive and SharePoint Dashboard includes the following panels:
| Panel | Source Type | Datamodel |
|---|---|---|
| Activity by location | o365:management:activity
|
n/a
|
| Operations over time | o365:management:activity
|
n/a
|
| Activity by user | o365:management:activity
|
n/a
|
| Items shared with external users | o365:management:activity
|
n/a
|
| Risky downloads over time | o365:management:activity
|
n/a
|
| Permission changes | o365:management:activity
|
n/a
|
| Top SharePoint sites accessed | o365:management:activity
|
n/a
|
Security and Compliance
To access the Security and Compliance dashboard, do the following:
- From the menu bar, select Analytics and then Cloud security.
- Select Microsoft 365.
- Select Security and Compliance.
The Security and Compliance dashboard includes the following panels:
| Panel | Source Type | Datamodel |
|---|---|---|
| Alerts over time | o365:management:activity
|
n/a
|
| Alerts by user | o365:management:activity
|
n/a
|
| Alerts by name | o365:management:activity
|
n/a
|
| Alert details | o365:management:activity
|
n/a
|
Filter your panel results
You can filter the results that you see in the dashboard panels.
| Filter | Description |
|---|---|
| Time range | Define the time range of a search with the time range picker. Even though you can change the time range for all the panels, the behavior is different for the Password account lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours. |
| Access analyzer dashboard | Share Threat Data in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!