Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use the Content Pack for Microsoft 365

After you install and configure the app, it's time to start actively monitoring your Microsoft 365 services. The content pack contains a series of useful views and dashboards that provide visibility into the different layers of your services. The glass table contains distinct sections geared towards different audiences, the service analyzer provides visibility into the health of your entire email service, and an entity health page displays vital metrics for individual entities.

Monitor your overall Microsoft 365 environment

This app includes several preconfigured glass tables that give you a real-time overview of what's going on in your Microsoft 365 environment. Below is the Overview Dashboard:

Overview Dashboard.png

The following table includes information about the glass tables included in the content pack:

Glass Table Description
M365 Executive Overview

The executive view contains executive-level metrics to illustrate the service levels you're delivering. It displays the availability and performance of major areas of Microsoft 365, including OneDrive, Sharepoint, Teams, Yammer, and Exchange. This high-level view enables your IT Operations team to drill down into the individual services in each area. If you see an abnormal service health score, click the service to open and investigate it in the Service Analyzer.

M365 Incident and Message Dashboard The Incident and Message view provides visibility across your services and displays trends for each incident, enabling you to proactively communicate about activities and events that impact customer experience. The glass table also displays the most recent incidents affecting your services, and recent messages.
M365 Overview Dashboard The view provides visibility of top-level service health as well as base metrics for the top services in Microsoft 365 like Exchange, OneDrive, SharePoint, Yammer, PowerBI, and Teams, enabling you to remediate outages or investigate low service health scores. You can also view security metrics and login success and failure trends in a single view.
M365 Security Dashboard - Overview The security view highlights metrics that track suspicious activities, unusual emails, and login anomalies to help you detect security threats to your environment. You can drill down into specific security anomalies using the Service Analyzer.
M365 Security Dashboard - Threat Detection The threat detection view provides a high-level view into potential security threats to your environment, such as authorization/login anomalies, suspicious user activities, and malware detection. You can drill down into specific security anomalies using the Service Analyzer.
M365 Security Dashboard - Threat Management Track and manage suspicious activities, such as emails reported as phishing attempts or security and compliance issues. You can drill down into specific anomalies using the Service Analyzer.

Monitor Microsoft 365 services

The M365 Service Analyzer included in this content pack provides instant, real-time visibility into the health of your Microsoft 365 environment and all its components, with granular composite health scores across the entire service path. Detect service anomalies faster with visibility into the health of each one of the service components that affect your overall performance including SharePoint, PowerBI, OneDrive, Exchange, and more.

To access the custom service analyzer view, perform the following steps:

  1. From the ITSI main menu, click Service Analyzer > Analyzers.
  2. Select M365 Service Analyzer from the list of analyzers.

Any critical or high severity episodes associated with the service are displayed in the side panel. Click View All to view all associated episodes in Episode Review. Below shows the tree view for the Service Analyzer:

O365 Tree.png

Monitor Microsoft 365 alerts

Some services in the Content Pack for Microsoft 365 are configured to generate notable events when aggregate KPI threshold values reach specific levels. The default aggregation policy then groups these events into meaningful episodes in Episode Review. To monitor and investigate all episodes in your Microsoft 365 environment, navigate to Episode Review. You can drill down into individual episodes to perform more granular root cause analysis, such as viewing an events timeline or examining common fields. You can then take specific actions on these episodes such as pinging a host, sending an email, or creating a ticket in ServiceNow or Remedy.

For more information about navigating and using Episode Review, see Overview of Episode Review in ITSI in the Event Analytics manual.

Monitor Microsoft 365 entities

The content pack includes several entity types that groups entities originating from Microsoft 365:

  • ITSI Import Objects - M365 Tenants
  • ITSI Import Objects - Power BI Workspaces
  • ITSI Import Objects - Sharepoint Sites

The entity types contain a set of vital metrics, which are statistical calculations based on SPL searches that represent the overall health of entities of that type. To view the Entity Health page for the entity types, perform the following steps:

  1. From the ITSI main menu, click Infrastructure Overview.
  2. In the Group by dropdown, choose Entity Type.
  3. Select one of the Microsoft 365 entity types to drill down into its vital metrics.

For more information about entity types and vital metrics, see Overview of entity types in ITSI in the Entity Integrations manual.

Vital metrics

The following table lists the vital metrics for the M365 Tenants entity type:

Vital metric Description
Azure Active Users Displays the count of distinct active users in Azure AD, with a span of 10 minutes
Exchange Active Users Displays the count of distinct active users in Exchange, with a span of 10 minutes
Microsoft Teams Active Users Displays the count of distinct active users in Microsoft Teams, with a span of 10 minutes
OneDrive Active Users Displays the count of distinct active users in OneDrive, with a span of 10 minutes
Sharepoint Active Users Displays the count of distinct active users in Sharepoint, with a span of 10 minutes
Yammer Active Users Displays the count of distinct active users in Yammer, with a span of 10 minutes

The following table lists the vital metrics for the Power BI Workspaces entity type:

Vital metric Description
Dashboard Views Displays count of dashboard views in each Power Bi Workspace, with a span of 10 minutes
Report Views Displays count of report views in each Power Bi Workspace, with a span of 10 minutes
Report Creations Displays count of report creations in each Power Bi Workspace, with a span of 10 minutes
Dataset Creations Displays count of dataset creations in each Power Bi Workspace, with a span of 10 minutes

The following table lists the vital metrics for the Sharepoint Sites entity type:

Vital metric Description
Page Views Count Displays page view count in each Sharepoint site, with a span of 10 minutes
Distinct User Page View Count Displays count of distinct users that viewed a page in each Sharepoint site, with a span of 10 minutes
File Accessed Count Displays count of files accessed in each Sharepoint site, with a span of 10 minutes
Distinct User File Accessed Count Displays count of distinct users that accessed a file in each Sharepoint site, with a span of 10 minutes

Entity dashboards

You can select an individual entity on the Entity Health page to drill down further into its performance metrics and log events. The Event Data Search dashboard displays the most recent log events associated with an entity over the last hour. The Analytics dashboard lets you view the trend of data coming in from each host by source type in a single snapshot.

To learn more about the available entity dashboards, see the following resources:

Microsoft 365 Dashboards

The following image displays the M365 Security Alerts Overview dashboard:
M365 Security Alerts Overview.png

This content pack comes with these dashboards:

  • M365 Azure Active Directory Overview
  • M365 Usage & Adoption
  • M365 Overview
  • M365 User Audit
  • M365 Exchange Overview
  • M365 OneDrive Overview
  • M365 OneDrive File Investigator
  • M365 Teams Overview
  • M365 Teams Activity Audit
  • M365 Teams Security Monitoring
  • M365 PowerBI Overview
  • M365 Sharepoint Overview
  • M365 Security Alerts Overview

Follow these steps to access these dashboards:

  1. From the ITSI main menu, click Dashboards > Dashboards.
  2. Select the dashboard you want to view from the Dashboards page.
Last modified on 30 June, 2021
PREVIOUS
Install and configure the Content Pack for Microsoft 365
  NEXT
KPI reference for the Content Pack for Microsoft 365

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters