The correct sourcetype for Azure Active Directory sign-ins is ms:aad:signin, and filtering on loginStatus=Failure ensures only failed logins are shown. Using geostats with latitude and longitude fields allows plotting login attempts geographically, and a Cluster Map visualization is best for quickly identifying failed logins originating outside of North America.

When a Security Engineer is building a new security process, their top priority should be ensuring that the process aligns with compliance requirements. This is crucial because compliance dictates the legal, regulatory, and industry standards that organizations must follow to protect sensitive data and maintain trust.
Why Compliance is the Top Priority?
Legal and Regulatory Obligations - Many industries are required to follow compliance standards such as GDPR, HIPAA, PCI-DSS, NIST, ISO 27001, and SOX. Non-compliance can lead to heavy fines and legal actions.
Data Protection & Privacy - Compliance ensures that sensitive information is handled securely, preventing data breaches and unauthorized access.
Risk Reduction - Following compliance standards helps mitigate cybersecurity risks by implementing security best practices such as encryption, access controls, and logging.
Business Reputation & Trust - Organizations that comply with standards build customer confidence and industry credibility.
Audit Readiness - Security teams must ensure that logs, incidents, and processes align with compliance frameworks to pass internal/external audits easily.
How Does Splunk Enterprise Security (ES) Help with Compliance?
Splunk ES is a Security Information and Event Management (SIEM) tool that helps organizations meet compliance requirements by:
Log Management & Retention - Stores and correlates security logs for auditability and forensic investigation.
Real-time Monitoring & Alerts - Detects suspicious activity and alerts SOC teams.
Prebuilt Compliance Dashboards - Comes with out-of-the-box dashboards for PCI-DSS, GDPR, HIPAA, NIST 800-53, and other frameworks.
Automated Reporting - Generates reports that can be used for compliance audits.
Example in Splunk ES:
A security engineer can create correlation searches and risk-based alerting (RBA) to monitor and enforce compliance policies.
How Does Splunk SOAR Help Automate Compliance-Driven Security Processes?
Splunk SOAR (Security Orchestration, Automation, and Response) enhances compliance processes by:
Automating Incident Response - Ensures that responses to security threats follow predefined compliance guidelines.
Automated Evidence Collection - Helps in audit documentation by automatically collecting logs, alerts, and incident data.
Playbooks for Compliance Violations - Can automatically detect and remediate non-compliant actions (e.g., blocking unauthorized access).
Example in Splunk SOAR:
A playbook can be configured to automatically respond to an unencrypted database storing customer data by triggering a compliance violation alert and notifying the compliance team.

In the example, there are two risk modifiers configured: one for the system (src) and one for the user. Each modifier creates a separate risk event with a score of 10. Therefore, the detection will generate 2 risk events in total.

In Splunk SOAR Cloud, the Automation Broker is responsible for maintaining connectivity. It initiates an outbound SSL connection to Splunk Cloud (so no inbound firewall rules are needed) and also makes outbound connections to the managed endpoints to execute playbook actions securely.

By default, Splunk Enterprise Security associates risk scores with five levels: Info, Low, Medium, High, and Critical. These levels help prioritize security events and focus analyst attention on the most impactful risks.