Microsoft 365 Security in Splunk Enterprise Security

Get a summary of relevant Microsoft 365 security data to monitor your Microsoft 365 applications such as Active Directory, Exchange, Security and Compliance, Teams, and so on. Investigative searches help you probe deeper, when the facts warrant it.

Microsoft 365 Security Dashboards

Use the Microsoft 365 Security Dashboard to monitor security activity in your Microsoft 365 applications.

Active Directory

To access the Active Directory dashboard, do the following:

  1. From the Splunk Enterprise Security menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Active Directory.

The Active Directory Dashboard includes the following panels:

Panel Source Type Datamodel
Password Account Lockouts o365:management:activity n/a
Users with Enable vs. Disable MFA o365:management:activity n/a
Failed User Logins o365:management:activity n/a
Impossible Travel o365:management:activity n/a
Non-existent Accounts - Login Attempts o365:management:activity n/a
Added/Removed Members from Group o365:management:activity n/a

Exchange

To access the Exchange dashboard, do the following:

  1. From the Splunk Enterprise Security menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Exchange.

The Exchange Dashboard includes the following panels:

Panel Source Type Datamodel
Exchange Operations by Location o365:management:activity n/a
External Domain with Forwarding Policy o365:management:activity n/a
Mailbox Exports o365:management:activity n/a
Mailbox Forwarding Rules o365:management:activity n/a
FullAccess Permission changes o365:management:activity n/a

OneDrive and SharePoint

To access the OneDrive and SharePoint dashboard, do the following:

  1. From the Splunk Enterprise Security menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click OneDrive and SharePoint.

The OneDrive and SharePoint Dashboard includes the following panels:

Panel Source Type Datamodel
Activity by Location o365:management:activity n/a
Operations over Time o365:management:activity n/a
Activity by User o365:management:activity n/a
Items Shared with External Users o365:management:activity n/a
Risky Downloads over Time o365:management:activity n/a
Permission Changes o365:management:activity n/a
Top SharePoint Sites Accessed o365:management:activity n/a

Security and Compliance

To access the Security and Compliance dashboard, do the following:

  1. From the Splunk Enterprise Security menu bar, select Cloud Security.
  2. Click Microsoft 365.
  3. Click Security and Compliance.

The Security and Compliance Dashboard includes the following panels:

Panel Source Type Datamodel
Alerts over Time o365:management:activity n/a
Alerts by User o365:management:activity n/a
Alerts by Name o365:management:activity n/a
Alert Details o365:management:activity n/a

Filter your panel results

You can filter the results that you see in the dashboard panels.

Filter Description
Time Range Define the time range of a search with the time range picker.

Even though you can change the time range for all the panels, the behavior is different for the Password Account Lockouts panel. Changing the time range only changes the trend line in the panel. It doesn't change the number that displays in the panel. The time range for the number is hardcoded to 24 hours.