Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

KPI reference for the Content Pack for Microsoft 365

The following tables list the KPIs used to monitor the health of your servers in the Content Pack for Microsoft 365. All parent and child services report up to the overall M365 service at the highest level. All KPIs in this content pack have a 15-minute schedule and 15-minute lookback time.

M365_App Availability

This service contains the KPIs for the availability of Microsoft 365 Applications.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureActiveDirectory

This service contains services and KPIs for Azure Active Directory.

M365_AzureAD_Availability

This service contains KPIs for the availability of Azure Active Directory.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureAD_Performance

This service includes services and KPIs for the performance of application, directory, group, login, role and user activity in Azure Active Directory.

Service KPI Description
M365_AzureAD_Application Administration Activities Added credentials to a service principal Credentials were added to a service principal in Azure AD. A service principle represents an application in the directory.
Added delegation entry An authentication permission was created/granted to an application in Azure AD.
Added service principal An application was registered in Azure AD. An application is represented by a service principal in the directory.
Removed a service principal from the directory An application was deleted/unregistered from Azure AD. An application is represented by a service principal in the directory.
Removed credentials from a service principal Credentials were removed from a service principal in Azure AD. A service principle represents an application in the directory.
Removed delegation entry An authentication permission was removed from an application in Azure AD.
Set delegation entry An authentication permission was updated for an application in Azure AD.
365_AzureAD_Directory Administration Activities Added a partner to the directory Added a partner (delegated administrator) to your organization.
Added domain to company Added a domain to your organization.
Removed a partner from the directory Removed a partner (delegated administrator) from your organization.
Removed domain from company Removed a domain from your organization.
Set company information Updated the company information for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
Set domain authentication Changed the domain authentication setting for your organization.
Set password policy Changed the length and character constraints for user passwords in your organization.
Turned on Azure AD sync Set the property that enables a directory for Azure AD Sync.
Updated domain Updated the settings of a domain in your organization.
Updated the federation settings for a domain Changed the federation (external sharing) settings for your organization.
Verified domain Verified that your organization is the owner of a domain.
Verified email verified domain Used email verification to verify that your organization is the owner of a domain.
365_AzureAD_Group Administration Activities Added group A group was created.
Added member to group A member was added to a group.
Deleted group A group was deleted.
Removed member from group A member was removed from a group.
Updated group A property of a group was changed.
365_AzureAD_Login Activity Authentication Methods Authentications methods used to login
Distinct User Sign-ins Count of distinct user logins.
Logins by Region Logins by Country.
Logon Errors Errors occurred when user attempted to login.
Operation-UserLoggedIn Shows count of successfully logged in users by IP address.
Operation-UserLoginFailed Shows count of users who failed to log in users by IP address.
Risky Login Event Types Risk detection types associated with the sign-in.
Successful Logins from External Users Successful logins from users outside organization.
User Agents User agents of users when logging in.
User Types Type of user.
365_AzureAD_Role Administration Activities Add member to Role Added a user to an admin role in Microsoft 365.
Removed a user from a directory role Removed a user to from an admin role in Microsoft 365.
Set company contact information Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.
365_AzureAD_User Administration Activities Added user A user account was created.
Changed user license The license assigned to a user what changed.
Changed user password A user changes their password.
Deleted user A user account was deleted.
Reset user password Administrator resets the password for a user.
Set license properties Administrator modifies the properties of a licensed assigned to a user.
Set property that forces user to change password Administrator set the property that forces a user to change their password the next time the user signs in to Office 365.
Updated user Administrator changes one or more properties of a user account.

M365_Exchange

This service contains services and KPIs for Microsoft 365 Exchange.

M365_Exchange_Availability

This service contains KPIs for the availability of Microsoft 365 Exchange.

KPI Description
_Advisory (messages) KPI showing Advisory Messages for Microsoft 365 Exchange.
_Advisory (status) KPI showing Advisory Status for Microsoft 365 Exchange.
_Incident (messages) KPI showing Incident Messages for Microsoft 365 Exchange.
_Incident (status) KPI showing Incident Status for Microsoft 365 Exchange.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Exchange_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Exchange.

KPI Description
GT_Exchange_ActiveMailboxes Count of currently active mailboxes.
GT_Exchange_MailboxLogins Count of mailbox logins by users.
GT_Exchange_MailboxStorageUsage Total Mailbox storage used (GB).
GT_Exchange_ReceivedEmailCount Count of total emails received.
GT_Exchange_TotalMailboxes Count of mailboxes.
GT_Exchange_TotalUniqueUsers Total unique users and the operations they are performing.

M365_Exchange_Performance

This service contains KPIs for the performance of Microsoft 365 Exchange.

KPI Description
Archive Quota KPI shows the Exchange Archive Quota, subscribers are often limited to 50GB
Archive Warning Quota KPI shows the Exchange Archive Warning Quota, as you are approaching the limited archive space
Issue Warning Quota This is the maximum storage limit before a warning is issued to the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning message to the user.
Operations KPI which aggregates several critical indicators of performance.
Prohibit Send Quota If the mailbox size reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and displays a descriptive error message.
Prohibit Send Receive Quota If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and won't deliver any new messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a descriptive error message.
Public Folder Hierarchy Mailbox Count Quota Count of total public folders in the hierarchy of the mailbox.
Recoverable Items Quota This is the storage quota for the Recoverable Items folder, not the quota for the entire archive mailbox.
Recoverable Items Warning For mailboxes that aren't placed on In-Place Hold or Litigation Hold, the Managed Folder Assistant automatically purges items from the Recoverable Items folder when the deleted item retention period expires. If the folder reaches the Recoverable Items warning quota, the assistant automatically purges items in first-in-first-out order.

M365_OneDrive

This service contains services and KPIs for Microsoft OneDrive.

M365_OneDrive_Availability

This service contains KPIs for the availability of Microsoft OneDrive.

KPI Description
_Advisory (messages) KPI showing Advisory Messages for M365 OneDrive.
_Advisory (status) KPI showing Advisory Status for M365 OneDrive.
_Incident (messages) KPI showing Incident Messages for M365 OneDrive.
_Incident (status) KPI showing Incident Status for M365 OneDrive.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state..
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_OneDrive_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft OneDrive.

KPI Description
GT_OneDrive_ActiveFiles Total active files from the OneDrive for the last 7 day reporting period.
GT_OneDrive_StorageAllocated The total storage allocated for OneDrive sites.
GT_OneDrive_StorageUsed The total storage used for OneDrive sites.
GT_OneDrive_TotalFiles The latest reported total file count for OneDrive sites.
GT_OneDrive_TotalUniqueUsers Count of total unique users for OneDrive sites.
GT_OneDrive_UsagePercent Percent of storage usage from the total of storage allocated.

M365_OneDrive_Performance

This service contains KPIs for the performance of Microsoft OneDrive.

KPI Description
Operations KPI which aggregates several critical indicators of performance.

M365_PowerBI

This service contains services and KPIs for Microsoft PowerBI.

M365_PowerBI_Availability

This service contains KPIs for the availability of Microsoft PowerBI.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_PowerBI_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft PowerBI.

KPI Description
GT_PowerBI_TotalDashboards Total number of dashboards in PowerBI.
GT_PowerBI_TotalDatasets Total of datasets in PowerBI
GT_PowerBI_TotalReports Total of reports in PowerBI.
GT_PowerBI_TotalUniqueUsers Total unique users and the operations they are performing.
GT_PowerBI_TotalWorkspaces Total number of workspaces in PowerBI.

M365_PowerBI_Performance

This service contains KPIs for the performance of Microsoft PowerBI.

KPI Description
All Activities All user activities in PowerBI.
Created PowerBI dashboard A user created a PowerBI dashboard.
Created PowerBI dataflow A user created a PowerBI dataflow.
Created PowerBI dataset A user created a PowerBI dataset.
Created PowerBI report A user created a PowerBI report.
Deleted PowerBI comment A user deleted a PowerBI comment.
Deleted PowerBI dataset A user deleted a PowerBI dataset.
Deleted PowerBI report A user deleted a PowerBI report.
Downloaded PowerBI report A user downloaded a PowerBI report.
Edited PowerBI dataset A user edited a PowerBI dataset.
Edited PowerBI report A user edited a PowerBI report.
Exported PowerBI report visual data A user exported PowerBI report visual data.
Exported PowerBI tile data A user exported PowerBI tile data.
Imported file to PowerBI A user imported a file to PowerBI.
Posted PowerBI comment User posted PowerBI comment.

M365_Security

This service contains triggered security alerts from Security & Compliance Center and Cloud App Security.

M365_Cloud App Security

This service contains triggered security alerts from built-in policies in Cloud App Security.

Service KPI Description
M365_Cloud Discovery Cloud Discovery anomaly detection This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses and services.
Any popular app Alert on newly discovered apps that are used by more than 1 users.
M365_Threat Detection Activity from anonymous IP addresses This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device's IP address, and may be used for malicious intent.
Activity from infrequent country This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. Detecting anomalous locations necessitates an initial learning period of 7 days, during which it does not alert on any new locations.
Activity from suspicious IP addresses This policy profiles your environment and triggers alerts when activity is detected from an IP address that has been identified as risky by Microsoft Threat Intelligence. These IP are involved in malicious activities, such as botnets C&C, and may indicate a compromised account.
Activity performed by terminated user This policy profiles your environment and alerts when a terminated user performs an activity in a sanctioned corporate application.
Data exfiltration to unsanctioned apps This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfilitrate information from your organization.
Impossible travel This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials.
Leaked credentials When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market.
Malicious OAuth app consent This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.
Malware detection This detection scans files in your cloud apps and runs suspicious files through Microsoft's threat intelligence engine to determine whether they are associated with known malware.
Misleading OAuth app name This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading name is detected. Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app.
Misleading publisher name for an OAuth app This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading publisher name is detected.
Multiple delete VM activities This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple failed login attempts This policy profiles your environment and triggers alerts when users perform multiple failed login activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple storage deletion activities This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Multiple VM creation activities This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Preview: Investigation Priority Score Increased Identify malicious insider or compromised user by identifying entities which deviates from their profile baseline.
Preview: Multiple Power BI report sharing activities This policy profiles your environment and triggers alerts when users perform multiple share report in Power BI activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Preview: Suspicious change of CloudTrail logging service This policy profiles your environment and triggers alerts when a user performs suspicious changes to the CloudTrail logging service in a single session, which could indicate an attempted breach.
Preview: Suspicious Power BI report sharing This policy profiles your environment and triggers alerts when a user shared a Power BI report that may include sensitive information and may indicate a compromised account. The report was either shared with an external email address, published to the web, a snapshot was delivered to an externally subscribed email address.
Ransomware activity This policy profiles your environment and triggers alerts when an activity pattern is detected that is typical of a ransomware attack.
Risky sign-in Azure Active Directory (Azure AD) detects suspicious actions that are related to your user accounts.
Suspicious email deletion activity (by user) This policy profiles your environment and triggers alerts when a user performs suspicious email deletion activities in a single session, which could indicate an attempted breach.
Suspicious inbox forwarding This policy profiles your environment and triggers alerts when suspicious inbox forwarding rules are set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to exfiltrate information from your organization.
Suspicious inbox manipulation rule A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.
Suspicious OAuth app file download activities This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user.
Unusual addition of credentials to an OAuth app This detection policy profiles your environment and triggers alerts when users perform unusual addition of credentials to an OAuth app activities, which could indicate an attempted breach.
Unusual administrative activity (by user) This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file deletion activity (by user) This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file download (by user) This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual file share activity (by user) This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Unusual impersonated activity (by user) This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.

M365_Security and Compliance Alerts

This service contains triggered security alerts from Security & Compliance Center.

Service KPI Description
M365_Information governance Unusual external user file activity Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization.
Unusual volume of external file sharing Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization.
Unusual volume of file deletion Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame.
M365_Mail flow Messages have been delayed Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector.
M365_Permissions Elevation of Exchange admin privilege Generates an alert when someone is assigned administrative permissions in your Exchange Online organization.
M365_Threat management A potentially malicious URL click was detected Generates an alert when a user protected by Safe Links in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy).
Admin Submission Result Completed Generates an alert when an Admin Submission completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission.
Admin triggered manual investigation of email Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer.
Creation of forwarding/redirect rule Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account.
eDiscovery search started or exported Generates an alert when someone uses the Content search tool in the Security and compliance center.
Email messages containing malicious file removed after delivery​ Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization.
Email messages containing malicious URL removed after delivery​ Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization.
Email messages containing malware removed after delivery​ Generates an alert when any messages containing malware are delivered to mailboxes in your organization.
Email messages containing phish URLs removed after delivery Generates an alert when any messages containing phish are delivered to mailboxes in your organization.
Email reported by user as malware or phish Generates an alert when users in your organization report messages as phishing email using the Report Message add-in.
Email sending limit exceeded Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy.
Failed exact data match upload
Form blocked due to potential phishing attempt Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.
Form flagged and confirmed as phishing Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft.
Malware campaign detected after delivery Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization.
Malware campaign detected and blocked Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization.
Malware campaign detected in SharePoint and OneDrive Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization.
Malware not zapped because ZAP is disabled Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
MIP AutoLabel simulation completed
Phish delivered because a user's Junk Mail Folder is disabled Generates an alert when Microsoft detects a user's Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox.
Phish delivered due to an ETR override Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox.
Phish delivered due to an IP allow policy Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox.
Phish not zapped because ZAP is disabled Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
Remediation action taken by admin on emails or URLs or sender
Successful exact data match upload
Suspicious Email Forwarding Activity Generates an alert when someone in your organization has autoforwarded email to a suspicious external account.
Suspicious email sending patterns detected Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email.
Tenant restricted from sending email Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
Tenant restricted from sending unprovisioned email Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
Unusual increase in email reported as phish Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail.
User restricted from sending email Generates an alert when someone in your organization is restricted from sending outbound mail.
User restricted from sharing forms and collecting responses Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.

M365_SharePoint_Online

This service contains services and KPIs for Microsoft SharePoint Online.

M365_SharePoint_Online_Availability

This service contains KPIs for the availability of Microsoft SharePoint Online.

KPI Description
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_SharePoint_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft SharePoint Online.

Service KPI Description
GT_SharePoint_ActiveFiles Total active files from the SharePoint site for the last 7 day reporting period.
GT_SharePoint_StorageAllocation The total storage allocated for share point sites.
GT_SharePoint_StorageUsed The total storage used for share point sites.
GT_SharePoint_TotalFiles The latest reported total file count for share point sites.
GT_SharePoint_TotalUniqueUsers
GT_SharePoint_UsagePercent Percent of storage usage from the total of storage allocated.

M365_SharePoint_Online_Performance

This service contains KPIs for the performance of Microsoft SharePoint Online.

Service KPI Description
M365_SharePoint_Online_Sharing and Request Activities Accepted access request An access request to a site, folder, or document was accepted and the requesting user has been granted access.
Accepted sharing invitation User (member or guest) accepted a sharing invitation and was granted access to a resource.
Added permission level to site collection A permission level was added to a site collection.
Blocked sharing invitation A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user
Created a company shareable link User created a company-wide link to a resource.
Created access request User requests access to a site, folder, or document they don't have permissions to access.
Created an anonymous link User created an anonymous link to a resource.
Created secure link A secure sharing link was created to this item.
Created sharing invitation User shared a resource in SharePoint Online with a user who isn't in your organization's directory.
Deleted secure link A secure sharing link was deleted.
Denied access request An access request to a site, folder, or document was denied.
Removed a company shareable link User removed a company-wide link to a resource. The link can no longer be used to access the resource.
Removed an anonymous link User removed an anonymous link to a resource. The link can no longer be used to access the resource.
Shared file, folder, or site User (member or guest) shared a file, folder, or site in SharePoint with a user in your organization's directory.
Unshared file, folder, or site User (member or guest) unshared a file, folder, or site that was previously shared with another user.
Updated access request An access request to an item was updated.
Updated an anonymous link User updated an anonymous link to a resource.
Updated sharing invitation An external sharing invitation was updated.
Used a company shareable link User accessed a resource by using a company-wide link.
Used an anonymous link An anonymous user accessed a resource by using an anonymous link.
Used secure link A user used a secure link.
User added to secure link A user was added to the list of entities who can use a secure sharing link.
User removed from secure link A user was removed from the list of entities who can use a secure sharing link.
Withdrew sharing invitation User withdrew a sharing invitation to a resource.
M365_SharePoint_Online_Site Permissions Added site collection admin Total number of files active in OneDrive.
Added user or group to SharePoint group User added a member or guest to a SharePoint group
Broke permission level inheritance An item was changed so that it no longer inherits permission levels from its parent.
Broke sharing inheritance An item was changed so that it no longer inherits sharing permissions from its parent.
Created group Site administrator or owner creates a group for a site, or performs a task that results in a group being created.
Deleted group User deletes a group from a site.
Modified 'Members Can Share' setting The Members Can Share setting was modified on a site.
Modified access request setting The access request settings were modified on a site.
Modified permission level on a site collection A permission level was changed on a site collection.
Modified site permissions Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site.
Removed permission level from site collection A permission level was removed from a site collection.
Removed site collection admin Site collection administrator or owner removes a person as a site collection administrator for a site.
Removed user or group from SharePoint group User removed a member or guest from a SharePoint group.
Requested site admin permissions User requests to be added as a site collection administrator for a site collection.
Restored sharing inheritance A change was made so that an item inherits sharing permissions from its parent.
Updated group Site administrator or owner changes the settings of a group for a site.
M365_SharePoint_Usage Details % Free Storage % of free storage available.
Active File Count A file is considered active if it has been saved, synced, modified or share.
Page View Count Count of page views.
Total File Count Total number of files.

M365_Teams

This service contains services and KPIs for Microsoft Teams.

M365_Teams_Availability

This service contains KPIs for the availability of Microsoft Teams.

KPI Description
_Advisory (messages) KPI showing Advisory Messages for M365 Teams.
_Advisory (status) KPI showing Advisory Status for M365 Teams.
_Incident (messages) KPI showing Incident Messages for M365 Teams.
_Incident (status) KPI showing Incident Status for M365 Teams.
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Teams_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Teams.

KPI Description
GT_Teams_SessionsStarted Number of Teams sessions started.
GT_Teams_TeamsCreated Count of new teams created.
GT_Teams_TeamsDeleted Count of teams that were deleted.
GT_Teams_TotalUniqueUsers Total count of unique users and the operations they are performing.
GT_Teams_UniqueTeams Total count of unique teams.

M365_Teams_Performance

This service contains KPIs for the performance of Microsoft Teams.

KPI Description
Operations KPI which aggregates several critical indicators of performance.

M365_Yammer

This service contains services and KPIs for Microsoft Yammer.

M365_Yammer_Availability

This service contains KPIs for the availability of Microsoft Yammer.

KPI Description
_Advisory (messages) KPI showing Advisory Messages for M365 Yammer
_Advisory (status) KPI showing Advisory Status related to M365 Yammer
_Incident (messages) KPI showing Incident Messages related to M365 Yammer
_Incident (status) KPI showing Incident Status related to M365 Yammer
Extended recovery This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service Service is up and running.
Restoring service Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Yammer_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Yammer.

KPI Description
GT_Yammer_ActiveGroups The total active yammer groups reported in the last 7 days
GT_Yammer_PostedMessageCount The total posted message count from the yammer tenant in the last seven day reporting period.
GT_Yammer_TotalGroups The the latest reported total number yammer groups
GT_Yammer_TotalUniqueUsers Total unique users and the operations they are performing.

M365_Yammer_Performance

This service contains KPIs for the performance of Microsoft Yammer.

KPI Description
Operations KPI which aggregates several critical indicators of performance.
Last modified on 20 September, 2021
PREVIOUS
Use the Content Pack for Microsoft 365
  NEXT
About the Content Pack for Microsoft Exchange

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters