Splunk® Enterprise Security

Use Splunk Enterprise Security

Prerequisites to use cloud security dashboards

Using cloud security dashboards, you can onboard cloud data sources and explore your cloud security environment by displaying visualizations of your Amazon Web Services (AWS) and Microsoft 365 environments. To use cloud security dashboards, you must meet the following prerequisites:

If you are currently using the Amazon Web Services (AWS) and Microsoft 365 TAs, you can configure your existing indexes following these steps, instead of creating a new index.

  1. Create indexes to populate the cloud security dashboards. For more information on creating custom indexes, see Create custom indexes.
  2. Provide the index name in the Splunk Enterprise Security app settings following these steps:
    1. From the Splunk Enterprise Security menu, select Configure then General and then General settings.
      This displays the configuration settings of Splunk Enterprise Security by applications.
    2. Navigate to AWS Index or Microsoft 365. The default index value for the AWS Index is: aws_security and the default index value for the Microsoft 365 is o365_security.

      No indexes exist with the default names. You must create your own indexes to populate the cloud security dashboards and provide the name of the index field for both the AWS Index and the MS 365 Index.

    3. Populate the index name in the app settings for AWS Index and Microsoft 365 Index.
  3. Install the Splunk Add-on for Amazon Kinesis Firehose and Splunk Add-on for Microsoft Office 365 from Splunkbase. Installing these add-ons helps to populate the cloud security dashboards and use them for insights into potential security issues such as errors, unusual events, unintended access, and suspicious activity.
  4. Configure the add-ons to send data to the Splunk platform and prepare the Splunk platform to receive the data.

Now you can use the visualizations on the following cloud security dashboards to explore your Amazon Web Services (AWS) and Microsoft 365 environments.

Risk factors turned on by default

The following risk factors are turned on by default:

  • The Critical Severity Alert risk factor increases the risk when the alert is critical severity.
  • The High Severity Alert risk factor increases the risk when the alert is high severity.
  • The Medium Severity Alert risk factor does not increase or decrease the risk when the alert is medium severity.
  • The Informational Severity Alert risk factor decreases the risk when the alert is informational severity.
  • The Low Severity Alert risk factor decreases the risk when the alert is low severity.

You can modify the calculated score for AWS GuardDuty and Security Hub alert risk events.

See also

Last modified on 30 August, 2024
Available dashboards in Splunk Enterprise Security   Security posture dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters