Azure Monitor-Log Analytics
Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS
- For general discussion/question and answers (not ideas and bug reports) use the MSDN Forum
- Onboarding issues? Read this troubleshooting guide
- How do I do XYZ? Try our documentation
- Customers with Premier support can log support cases via Premier
- Customers with Azure support agreements can log support cases in the Azure portal
-
Expand Data Retention for Security and Audit IP
Provide to ability to expand the data retention to 3-8 years. Some customers do have compliance rules to save their security related data for 8 years. When this could be accomplished we move our ACS implementations on premise to OpInsights.
184 votesThis feature is currently being reviewed and worked upon by the team , which is exploring new methods for longer retention, will keep this thread updated accordingly.
-
software inventory
I'd like to be able to perform full software inventory on servers and be able to identify non-current versions of programs installed, i.e. JAVA, Adobe Reader etc.
Management Suite should be able to push the newest versions to servers.
46 votesWe are investigating something in the direction of inventory, but it’s at an early stage of thinking.
-
Being able to collect logs from OSX clients. All logs would be great; I'm specifically interested in security related events.
Natively (no agent) send Syslog traffic to a collection point and have it upload the logs to Log Analytics.
Use an agent to install on OSX that can send OSX logs to a collection point or direct to Log Analytics.
I’m specifically interested in security related logs from Mac client machines on Enterprise networks. That said if were able to collect logs it shouldn’t be limited to security information. It would be nice to be able to see patch level, ability to collect all logs, performance metrics, etc.45 votesGreat suggestion, and thanks for the detailed description. We’re always looking to expand the systems we collect data from, and seeing folks vote for this will help us prioritize when this happens.
-
Syslog support by Windows agent
I want to collect Syslog in some Windows, no-Linux environment.
Syslog collect from NAS, Router, Firewall, and send to Log Analytics.
and There are no Linux professional.31 votes -
Log Analytics SecurityEvents - Add System data elements such as Keywords
Currently, the SecurityEvents table is missing the System data elements from the native Windows Security Log events. Included in the System data elements is the Keywords data item which indicates whether a specific event is an Audit Success or Audit Failure. This significantly reduces the usefulness of LogAnaylytics to track Security Audit events.
15 votes -
parameterize externaldata() argument
Parameterize this function so that we can easily integrate API calls in KQL.
Example:
externaldata(businessName: string, isp:string, businessWebsite: string)
[
h@strcat(tostring("https://getip.com/json/"),tostring(IP))
]
with(format="multijson")The end goal would be to make a list from make_list() and then use that list in the requestURL needed in externaldata()
15 votes -
Key vault
Key Vault integration or other solution so that the customer ownes the encryption key.
10 votesDetails of how we secure data is described here:
https://technet.microsoft.com/en-us/library/mt484103.aspxIs there a specific thing related to encryption that you would like supported?
Thanks
Richard
-
Azure Security Center Recommendations Log Analytics Query syntax
Could someone point me in the direction of a resource that provides a mapping of the recommendations in Security Center (SC) with the associated Log Analytics query syntax? For example SC lists all of the machines that are not compliant with the recommendations in list below. I need to extract these results out into a spreadsheet and cannot see how to do this other than maybe running a query in Log analytics? If so does anyone know of a listing of these queries?
Designate more than one owner on your subscription (Preview)
Enable MFA for accounts with owner permissions on…8 votes -
Bitlocker
Bitlocker
- Computers that support TPM
- Bitlocker Status
- Compliance Status7 votes -
Resource Locks vs. Update Deployments
An Azure 'No Delete' Resource Lock currently prevents addition or configuration of new OMS update deployments; generating an unspecified error. See Microsoft support case 117080416146171. Understanding is that in the background, creation of a new Update Deployment performs a delete action somewhere and then will bomb out and generate an error such as "This update run could not be scheduled. Please check the computer names, and try again later."
Have been told that this is not a bug, but a 'feature', so entering it here as a suggested change.
7 votes -
"Eicar" test functionality
A similar test as the "Eicar" so we can show customers a demo of Threat Intelligence without introducing any risks.
7 votes -
MessageTrace
It would be nice to receive MessageTrace Logs from O365 into OMS so that we could be more proactive in seeing compromised accounts. This would allow us to be alerted say on a user that is sending 100 messages of the same subject out.
6 votes -
Incorrect CCE-38444-6 Baseline Check
When reviewing Azure Log Analytics Baselines and review CCE-38444-6 it always shows as failing the audit
Digging deeper it looks like it is Expecting a Result of Disabled when actually Disabled is 0 due to this registry key being a DWORD value and Not STRING
See Screenshot Below
6 votesThank you for reporting this issue.
We filed a bug on this and will fix as soon as possible. -
Fix Windows2016 baseline detection
I stumble on some error in the detection. For example :
OSName,RuleSetting,ExpectedResult,ActualResult
Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"
Or do I need to make a support call for this?
6 votes -
Make membername field facetable
I am trying to search and find out security group changes for a user. The field I need is greyed out.
The query I am running is Type=SecurityEvent EventID=4728 OR EventID=4729
and I want to drill down into the MemberName fieldMore info can be found here
https://social.msdn.microsoft.com/Forums/azure/en-US/22a19ec3-a273-479a-8b7d-7aeb902d494b/fields-greyed-out?forum=opinsightsWhy is it unavailable, and can it be made available? it's a very useful security query.
5 votesWill forward to the team to see if that field can be enabled as facetable.
Thanks -
Antimalware assessment - Sophos is not recognised
The Antimalware Assessment currently does not cover systems which are protected by Sophos AV. Can we get this addressed ?
4 votes -
SQL Extended Events
Read SQL Extended Audit...
The issue is that DB Admin needs a means to identify DDL changes to ANY database in our environments that is not intrusive… The issue for us is that we have given ALTER schema to development team for changing their stored procedures however that permission allows the user/login to make other changes to existing objects ….So…
We can use extended events or audit to capture object changes etc. on SQL servers. Extended events are much more definable and write to a defined file when it occurs. I believe that MS has indicated that it favors…4 votesthanks for the suggestion
-
EMS
You need to fully integrate Azure ems into OMS. Azure is viewed as the identity management solution. you need to be 100% aligned with this . Currently you are not and this needs to be resolved and integrated with OMS workspace
3 votes -
Is there a way to ignore recommendations not in either of the Assessment solutions?
There is functionality in place today to ignore recommendations for SQL and AD assessments. Can this be extended to the Security and Audit portion and the other solutions?
3 votesCan you provide examples of some of the recommendations you’d like to ignore in the security and audit solution?
-
Process Name of Alert "Distinct malicious IP addresses accessed"
I want to know the process name of the Alert "Distinct malicious IP addresses accessed", for do some protection.
If the process name is Outlook, I search related mail,
If the process name is Microsoft Edge, I search the url.and I hope the url or host name of mailicious IP address.
2 votes
- Don't see your idea?