Microsoft 365: Are You Flying Blind...and at What Cost?

Many organizations today are migrating from on-prem solutions for email / calendar / communications to Microsoft 365. If this is you, this is your productivity cloud across work and life, designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. 

These are critical processes, workflows, and activities, which Microsoft 365 provides you with limited visibility, and this is not something you or your business can afford to not be aware of their status and impact you or your customers. 

Splunk brings you the Splunk ITSI Content Pack for Microsoft 365 to enable full visibility into the performance, availability, security, incidents, and messages across these cloud-based Microsoft 365 services that run your business.

This content pack provides: 49 Services and 380 KPIs; Entity Types and Vital Metrics; 13 Dashboards; and 6 Glass Tables to provide persona-based views for Executive, IT Ops, Business, DevOps and Security professionals. The Microsoft 365 Content Pack is quickly configured with our provided Technology Add-on to deliver you and your key stakeholders results out of the box, and in minutes.

Oh, did I mention…it’s now free with both IT Essentials Work and Splunk IT Service Intelligence (ITSI)!

“M365 Executive Overview” Glass Table

Microsoft 365 Glass Tables

Glass tables enable you to visualize and monitor the interrelationships and dependencies across your IT and business services. You can use glass tables to create dynamic contextual views of your IT topology or business processes and monitor them in real time. You can add metrics like KPIs, ad hoc searches, and service health scores that update in real time against a background that you design. Glass tables show real-time data generated by KPIs and services.

The Content Pack for Microsoft 365 includes several preconfigured glass tables you can use to monitor critical functions. Each glass table is specifically designed to deliver value to one or more of the following four personas:

  1. As a Business Leader, I need to know what the flow of data and information is throughout our key communication channels (email, calendar, collaboration, et al), so we can operate our business effectively and serve our customers with speed and efficiency.
  2. As the Head of IT Operations, I need to have visibility into the Performance and Availability of our Microsoft 365 tenants and quickly mitigate or report issues to be remediated, so that I can ensure services are delivered to all customers without interruption.
  3. As the CIO and CTO(s), I need to ensure full visibility and awareness of our mail, calendar, and collaboration services, so as to ensure our business customers are able to operate without incident. 
  4. As a Chief Information Security Officer (CISO), I need to understand what is going on regarding our ongoing security profile and threats, along with where and when these are coming across a full complement of key indicators near real-time, so as to deliver a secure solution to my customers and key stakeholders.

Within the Microsoft 365 Content Pack, we have provided 6 Glass Tables:

  1. M365 Executive Overview
  2. M365 Overview Dashboard
  3. M365 Incident and Message Dashboard
  4. M365 Security Dashboard - Overview
  5. M365 Security Dashboard - Threat Detection
  6. M365 Security Dashboard - Threat Management

The M365 Executive Overview glass table, provides insights across 7 major components along the bottom (including Active Directory), along with Security and M365 App Availability on the top, and a rolled up M365 status in the middle. At a single glance, you can quickly understand a status of your environment both in color(s) and numbers, which are all dynamic with a ‘single click’ to gain deeper insights. All four of the personas will find this extremely useful, and something that gains the attention of all of our customers, enabling them to understand current status in a single view.

Content Pack for Microsoft 365: Glass Tables - M365 Executive Overview

M365 Overview Dashboard glass table puts key operational metrics, trends, and security summaries all on a single view. Each of these elements enable you to get more granular details with a ‘single click’ or ‘tap’. This includes: Performance & Availability across the 7 core Microsoft 365 apps and Active Directory, along with summary of Incidents and Messages, with Login Success and Login Failures including a global map showing users by country, a summary of key KPIs by each of the 6 main apps, 6 key security summaries, and overall Microsoft 365 health. Business Leaders, along with CIO / CTO’s, and Head of IT Operations will benefit greatly from having these insights available to them all on a single view and clickable for more information behind each of these components.

Content Pack for Microsoft 365: Glass Tables - M365 Overview Dashboard

Getting information related to the Microsoft 365 Service Incidents and Messages Dashboard is simplified with this glass table, providing you the ability to not only see them in a Sankey Diagram but also quickly filter and sort as you desire. Both visualized and in a tabular format, with ‘single click’ access to more information. Ensuring you are well aware of what is going on within your Microsoft 365 tenant(s). Stakeholders such as CIO / CTO’s, and Head of IT Operations will benefit greatly by having, so to have  visibility into and awareness of as to what Service Incidents that are happening and each of their status, along with insights from Messages on what is going to be happening; which they can leverage to prepare and communicate both real-time and proactively to their customers.

Content Pack for Microsoft 365: Glass Tables - M365 Service Incidents and Messages Dashboard


The glass tables for M365 Security Dashboard: Overview, Threat Detection, and Threat Management provide insights into security highlights across your tenant(s). The “Overview” glass table provides roll-up of nearly 100 data points on a single screen, including trending, and threshold notifications where appropriate. To allow for more focused views, included are also the “Threat Detection” and “Threat Management” glass tables, showing details for each of those specific areas along with other key indicators across Microsoft 365 to compliment the security focus. These will be of specific interest to your CISO / Security Analysts, CIO / CTO’s, Head of IT Operations.

Content Pack for Microsoft 365: Glass Tables - M365 Security Dashboards [Overview, Threat Detection, Threat Management]

For more information about glass tables, see overview of the glass table editor in ITSI and a video 'Getting Started with Splunk ITSI Glass Tables'.

Microsoft 365 Services and KPIs

The Content Pack for Microsoft 365 contains 49 Services that represent different components of your Microsoft 365 environment. A service is a logical mapping of IT objects that applies to your business goals such as an application / service, an infrastructure tier / instance, or a single running process / metric. 

Some services are dependent on other services. Services contain KPIs which make it possible to monitor service health and ensure your IT operations are in compliance with business SLAs. The following image shows the Microsoft 365 Service Analyzer tree.

Content Pack for Microsoft 365 “Service Analyzer” in ‘Tree View'


The Content Pack for Microsoft 365 ships with 380 KPI’s, built using Microsoft best practices and Splunk research, some with configured thresholds and alerting rules. A KPI is a recurring saved search that returns the value of an IT performance metric and is used to monitor the health of a service. For more information about KPIs, see Overview of creating KPIs in ITSI in the Service Insights manual.

The following image shows the configuration of a KPI in the Content Pack for Microsoft 365, setup with Adaptive Thresholding.


Content Pack for Microsoft 365 KPIs with Adaptive Thresholding within the ‘Yammer Availability’ Service

Another great feature of the Content Pack for Microsoft 365 is the preconfigured Service Analyzer view called M365 Service Analyzer, which provides a visual representation of your Microsoft 365 services and the dependencies between them. You can use this custom view to see the KPIs, entities, and most critical episodes associated with a service. 

The M365 Service Analyzer is organized according to the following key components of Microsoft 365:

  • Azure Active Directory
  • Security
  • Exchange
  • OneDrive
  • PowerBI
  • SharePoint
  • Teams
  • Yammer
  • Other M365 Apps

The following image shows some of the services in the Splunk ITSI Content Pack for Microsoft 365, along with the quick-click capability to view associated KPIs, entities, and episodes:

Content Pack for Microsoft 365: Services, Episodes, KPIs, and Entities within the M365 Service Analyzer

Select an Microsoft 365 service in the dependency tree to investigate its associated KPIs and entities, and perform more granular root cause analysis of issues that arise. You can click View All to manage all critical and high episodes in Episode Review, or select an individual entity to view its health page.

For a reference of all KPIs included in the content pack as well as their descriptions, search schedules, and lookback times, see KPI reference for the Content Pack for Microsoft 365 in the ITSI Content Packs manual.

Microsoft 365 Episode Review

Some services in the Content Pack for Microsoft 365 are configured to generate notable events when aggregate KPI threshold values reach specific levels. ITSI then aggregates these events into meaningful groups, or episodes. 

To monitor and investigate the episodes related to your Microsoft 365 environment, navigate to Episode Review. Episode Review provides a unified view of all your service-impacting episodes. You can drill down into individual episodes to perform more granular root cause analysis, such as viewing an events timeline or examining common fields. 

You can interact with an episode in a variety of ways, including the following:

  • Acknowledge it to indicate the episode has been identified and accepted.
  • Change the severity depending on the perceived impact on your organization.
  • Change the status to indicate its current place in the episode workflow.
  • Assign the episode to an individual or team for investigation and remediation.
  • Take a specific action on the episode, such as pinging a host or running a script. For an overview of all available actions you can take on an episode, see Take action on an episode in ITSI.

As an analyst, you can use Episode Review to gain insight into the severity of episodes occurring in your Microsoft 365 environment. Use the console to triage new episodes, assign episodes to analysts for review, and examine episode details for investigative leads. 

Content Pack for Microsoft 365: Episode Review 

For more information about Episode Review, see Overview of Episode Review in ITSI.

Microsoft 365 Entity Types and Vital Metrics

Entity Types and Vital Metrics

The Content Pack for Microsoft 365 includes custom entity types. You can use these associations to visualize and troubleshoot various entities. For example, you can group entities by entity type in the Infrastructure Overview to visualize key metrics relating to the health of Microsoft 365 entities. 

Vital Metrics

The “M365 Tenants” entity type contains a set of vital metrics which describe the overall health of entities of that type, including things like: Azure Active Users, Exchange Active Users, Microsoft Teams Active Users, OneDrive Active Users, SharePoint Active Users, and Yammer Active Users. You can view these metrics on the Entity Health page and drill down further into individual Exchange entities. 

Event Data Search Dashboard

The Event Data Search dashboard displays the 100 most recent log events associated with an entity for the last 60 minutes. The dashboard provides a high-level overview of entity performance across your whole environment, regardless of the entity type you associated with the entity. 

Entity Analytics Dashboard

The Entity Analytics dashboard lets you analyze metrics and logs for specific entities in ITSI. You can populate the dashboard with metrics and logs according to analysis data filters ITSI associates with a given entity. 


Content Pack for Microsoft 365: Vital Metrics, Event Data Search Dashboard, Entity Analytics Dashboard 

You can optionally add, modify, or delete the preconfigured M365 Tenants entity type. For instructions to create and edit entity types, see Create custom entity types in ITSI. For more information about the entity dashboards included in this content pack, see Microsoft 365 Entities in the content pack documentation.

Microsoft 365 Dashboards

A dashboard is used to represent tables or charts which are related to some business meaning. It is done through panels. The panels in a dashboard hold the chart or summarized data in a visually appealing manner. We can add multiple panels, and hence multiple reports and charts to the same dashboard.

Within the Microsoft 365 Content Pack, we have provided 13 Dashboards to provide easy access to valuable information in a quick and easy manner for you.

  1. M365 Overview
  2. M365 Azure Active Directory Overview
  3. M365 Usage & Adoption
  4. M365 User Audit
  5. M365 Exchange Overview
  6. M365 OneDrive Overview
  7. M365 OneDrive File Investigator
  8. M365 Teams Overview
  9. M365 Teams Activity Audit
  10. M365 Teams Security Monitoring
  11. M365 PowerBI Overview
  12. M365 Sharepoint Overview
  13. M365 Security Alerts Overview

Below is the M365 Overview Dashboard, providing a summary of all things Microsoft 365, and showcasing key panels which are interactive for the user.

Content Pack for Microsoft 365: Dashboards - M365 Overview Dashboard 


Microsoft 365 App for Splunk

The predecessor, “Microsoft 365 App for Splunk” provided dashboards for Microsoft 365 management data retrieved and presented in 7 dashboards, and has served our customers well. Splunk is now enhancing its capabilities to leverage the latest ITSI features, simplifying the implementation, and speeding up time to results. The legacy app’s functionality incorporated into this content pack.

Customers that manage Splunk in their data centers can download IT Essentials Work for free from Splunkbase. Customers that use Splunk Cloud can request support-assisted installation for IT Essentials Work through the ticketing workflow. Splunk sales and customer success teams can help determine whether IT Essentials Work or ITSI is the right option moving forward.

Next Steps

That was a lot of content. Thanks for hanging in there! You may also be interested in the Microsoft 365 Content Pack Overview Video

Now you know all about the Splunk ITSI Content Pack for Microsoft 365. It is time to install it and start discovering its value yourself! For detailed installation steps, see Install and configure the Content Pack for Microsoft 365.

And don't forget to join us for a Tech Talk session on the Splunk ITSI Content Pack for Microsoft 365. Splunk Tech Talks are short, technical webinars for Splunk users. These 20-30 minute webinars are practitioner based overviews with a live demo to highlight best practices, scenarios and new functionality.

This blog post was authored by Todd DeCapua, IT Markets, Field Solutions Engineer at Splunk with special help from: Marie Duran, Adam Schalock, Ajee Greenfield at Splunk.

Todd DeCapua
Posted by

Todd DeCapua

Todd DeCapua is a passionate software executive, technology evangelist and business leader with extensive hands-on expertise.

Throughout his career, he has held various leadership and strategic roles in organizations like: Splunk, JPMorgan Chase & Co., CSC, Hewlett Packard, Shunra Software,, Vivit Worldwide, Apposite Technologies, TEDx Wilmington, ING Direct, Andersen Consulting, and more.

He is also an author and contributor, well known speaker / evangelist, and co-author of the O’Reilly published book titled, “Effective Performance Engineering” and “Blockchain for the Enterprise” and now completing a book on ‘Data’ with Manning Publications.