Splunk® Enterprise Security

Use Splunk Enterprise Security

Microsoft 365 security dashboard

Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.

Active Directory

To access the Active Directory dashboard, do the following:

  1. From the menu bar, select Analytics and then Cloud security.
  2. Select Microsoft 365.
  3. Select Active Directory.

The Active Directory dashboard includes the following panels:

Panel Source Type Datamodel
Password account lockouts o365:management:activity n/a
Users with enable vs. disable MFA o365:management:activity n/a
Failed user logins o365:management:activity n/a
Impossible travel o365:management:activity n/a
Added or removed bembers from group o365:management:activity n/a

Exchange

To access the Exchange dashboard, do the following:

  1. From the menu bar, select Analytics and then Cloud security.
  2. Select Microsoft 365.
  3. Select Exchange.

The Exchange dashboard includes the following panels:

Panel Source Type Datamodel
Exchange operations o365:management:activity n/a
External domain with forwarding policy o365:management:activity n/a
Mailbox exports o365:management:activity n/a
Mailbox forwarding rules o365:management:activity n/a
Full access permission changes o365:management:activity n/a

OneDrive and SharePoint

To access the OneDrive and SharePoint dashboard, do the following:

  1. From the menu bar, select Analytics and then Cloud security.
  2. Select Microsoft 365.
  3. Select OneDrive and SharePoint.

The OneDrive and SharePoint Dashboard includes the following panels:

Panel Source Type Datamodel
Activity by location o365:management:activity n/a
Operations over time o365:management:activity n/a
Activity by user o365:management:activity n/a
Items shared with external users o365:management:activity n/a
Risky downloads over time o365:management:activity n/a
Permission changes o365:management:activity n/a
Top SharePoint sites accessed o365:management:activity n/a

Security and Compliance

To access the Security and Compliance dashboard, do the following:

  1. From the menu bar, select Analytics and then Cloud security.
  2. Select Microsoft 365.
  3. Select Security and Compliance.

The Security and Compliance dashboard includes the following panels:

Panel Source Type Datamodel
Alerts over time o365:management:activity n/a
Alerts by user o365:management:activity n/a
Alerts by name o365:management:activity n/a
Alert details o365:management:activity n/a

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Time range Define the time range of a search with the time range picker.

Even though you can change the time range for all the panels, the behavior is different for the Password account lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours.

Last modified on 03 September, 2024
Access analyzer dashboard   Share Threat Data in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters