Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Microsoft 365 Security in

Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.

Microsoft 365 Security Dashboards

Use the Microsoft 365 Security Dashboard to monitor security activity in your Microsoft 365 applications.

Active Directory

To access the Active Directory dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Active Directory.

The Active Directory Dashboard includes the following panels:

Panel Source Type Datamodel
Password Account Lockouts o365:management:activity n/a
Users with Enable vs. Disable MFA o365:management:activity n/a
Failed User Logins o365:management:activity n/a
Impossible Travel o365:management:activity n/a
Non-existent Accounts - Login Attempts o365:management:activity n/a
Added/Removed Members from Group o365:management:activity n/a

Exchange

To access the Exchange dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Exchange.

The Exchange Dashboard includes the following panels:

Panel Source Type Datamodel
Exchange Operations by Location o365:management:activity n/a
External Domain with Forwarding Policy o365:management:activity n/a
Mailbox Exports o365:management:activity n/a
Mailbox Forwarding Rules o365:management:activity n/a
FullAccess Permission changes o365:management:activity n/a

OneDrive and SharePoint

To access the OneDrive and SharePoint dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click OneDrive and SharePoint.

The OneDrive and SharePoint Dashboard includes the following panels:

Panel Source Type Datamodel
Activity by Location o365:management:activity n/a
Operations over Time o365:management:activity n/a
Activity by User o365:management:activity n/a
Items Shared with External Users o365:management:activity n/a
Risky Downloads over Time o365:management:activity n/a
Permission Changes o365:management:activity n/a
Top SharePoint Sites Accessed o365:management:activity n/a

Security and Compliance

To access the Security and Compliance dashboard, do the following:

  1. From the menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Security and Compliance.

The Security and Compliance Dashboard includes the following panels:

Panel Source Type Datamodel
Alerts over Time o365:management:activity n/a
Alerts by User o365:management:activity n/a
Alerts by Name o365:management:activity n/a
Alert Details o365:management:activity n/a

Take action on account activity from Active Directory, Exchange, Security & Compliance, Teams, and so on. See Overview of take action on use cases in Splunk Security Analytics for AWS.

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Time Range Define the time range of a search with the time range picker.

Even though you can change the time range for all the panels, the behavior is different for the Password Account Lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours.

Work with panel drilldown options

For further details, you can drill down into all the panels in your dashboards. Click on a panel to see the drilldown options appear.

Option Description
Open in Search Open a search bar in Splunk Web to see the SPL syntax for populating the panel with data. If applicable, these searches incorporate the | tstats command to perform statistical queries. See tstats for more information.


In the search results, click the Statistics tab in Splunk Web to see statistics about your indexed data.

Open Events in Search Open a search bar in Splunk Web to see the SPL syntax for viewing the top 100 raw events that are ingested. If applicable, these searches incorporate the | datamodel command to search data model datasets. The | datamodel command has the potential to impact performance, so the default is to limit the number of events with | head 100 rather than show them all. See datamodel for more information.


In the search results, click the Events tab in Splunk Web to see raw events. If you use Open Events in Search but you get the same results as Open in Search, then the panel does not use a data model.

Export Download a .png file of the panel results.
Refresh Update the results of the panel.
Last modified on 30 April, 2021
PREVIOUS
AWS Access Analyzer in
  NEXT
Overview of securing your cloud environment in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters