Prerequisites to use Cloud Security dashboards

To onboard Cloud data sources and explore your Cloud Security environment by displaying visualizations of your Amazon Web Services (AWS) and Microsoft 365 environments using the Cloud Security dashboards, you must meet the following prerequisites:

Note: If you are currently using the Amazon Web Services (AWS) and Microsoft 365 TAs, you can configure your existing indexes following these steps, instead of creating a new index.

Create indexes to populate the Cloud Security dashboards. For more information on creating custom indexes, see Create custom indexes.
Provide the index name in the Enterprise Security app settings following these steps:
1. From the Splunk Enterprise Security menu, select Configure > General > General Settings.
  This displays the configuration settings of Splunk Enterprise Security by applications.
2. Navigate to AWS Index or Microsoft 365. The default index value for the AWS Index is: aws_security and the default index value for the Microsoft 365 is o365_security.
  Note: No indexes exist with the default names. You must create your own indexes to populate the Cloud Security dashboards and provide the name of the index field for both AWS Index and the MS 365 Index.
3. Populate the index name in the app settings for AWS Index and Microsoft 365 Index.
Install the Splunk Add-on for Amazon Kinesis Firehose and Splunk Add-on for Microsoft Office 365 from Splunkbase.
- For more information on installing the add-on, see Splunk Add-on for Amazon Kinesis Firehose
- For more information on installing the add-on, see Splunk Add-on for Microsoft Office 365
Installing these add-ons helps to populate the Cloud Security dashboards and use them for insights into potential security issues such as errors, unusual events, unintended access, and suspicious activity.
Configure the add-ons to send data to the Splunk platform and prepare the Splunk platform to receive the data.
- For more information on configuring Splunk Add-on for Amazon Kinesis Firehose, see Configure Firehose.
- For more information on configuring Splunk Add-on for Microsoft 365, see Configure Microsoft 365

Now you can use the visualizations on the following Cloud Security dashboards to explore your Amazon Web Services (AWS) and Microsoft 365 environments.

Risk factors enabled by default

Note: You can modify the calculated score for AWS GuardDuty and Security Hub alert risk events.

The following risk factors are enabled by default:

The Critical Severity Alert risk factor increases the risk when the alert is critical severity.
The High Severity Alert risk factor increases the risk when the alert is high severity.
The Medium Severity Alert risk factor does not increase or decrease the risk when the alert is medium severity.
The Informational Severity Alert risk factor decreases the risk when the alert is informational severity.
The Low Severity Alert risk factor decreases the risk when the alert is low severity.

Learn more

Security Groups for your VPC in Splunk Enterprise Security

User and Authentication Activity in Splunk Enterprise Security

Network ACL Analytics in Splunk Enterprise Security

AWS Access Analyzer in Splunk Enterprise Security

Microsoft 365 Security in Splunk Enterprise Security

Documentation

Prerequisites to use Cloud Security dashboards

Risk factors enabled by default