Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Need the ability to filter security events before they're collected

    The security SP badly needs:
    - security log filtering so that only specific scenarios can be consolidated to the cloud. Mind don't assume they're connected through OpsMgr, since OpInsights lacks any multitenancy, security scenarios are the first that would need separate workspaces to limit access to the data
    - there are some common scenarios that need to be addressed on the collected data, for example there should be an easy way to discard logons by computer accounts (account ending with $).
    - princing for Security IP risks to put OpInsights out of play, it's way too expensive, a single DC…

    166 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    13 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for you patience,
    Based on your feedback we have completed the work to enable FILTER security events before collection.
    Here is the blog post on this:
    https://blogs.technet.microsoft.com/msoms/2016/11/08/filter-the-security-events-the-oms-security-collects/

    We are working on Solution Targeting feature which will provide you ability to select scope of the computers per each solution. Please expect the public preview later on this year.
    Thanks,
    —Tigran

  2. Malware real-time detection integration with Digital crime unit knowledge feed

    Are you going to integrate with the MSFT Digital Crime Unit for detecting Malware Close to realtime and provide a notification Service via Apps on mobile phones? This will be a serious business case for leveraging OI Azure Services.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  3. TimeGenerated For Firewall traffic data is not correct

    For Security and Audit solution we can enable Firewall logging to be send to OMS as I am describing here:
    https://cloudadministrator.wordpress.com/2015/05/28/windows-firewall-auditing-with-operations-management-suite/
    The logs for firewall are logged with time depending on the time zone configured on the local server. OMS probably treats the time in GMT as if you shutdown a server you can still see Firewall logs being logged in OMS after the time of shutdown. This incorrect information breaks scenarios like this:
    * | Measure Max(TimeGenerated) as LastData by Computer | Where LastData<NOW-10MINUTES
    to show servers not sending data for specific interval.

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →

    It’s as you say – it was local time.

    The team confirmed they were already aware of this and hadalready been working on a fix to covert the time back to UTC at the agent before sending…. this should have been now deployed for a few weeks. Let us know if you see otherwise.

  4. Programmatically add intelligence pack connections (like Office 365)

    Right now, I have to go in manually (old world) and type in my username and password (old world) for Office 365 to get it enabled into monitoring.

    When I set up a tenant, I don't want to have to click and type, nor anyone to see passwords. I want to automate and manage my passwords and connections securely through automation / orchestration solutions.

    Thus, I'd like Powershell or other API endpoints to configure and connect OMS to sources such as Office 365, and also to be able to change the password and/or account used to connect to such sources.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  5. Security IP doesn't show accounts and logon types and other data in facets

    In a newly created workspace, after 24 hours, even if the security events are collected and are searchable, the facets for user accounts, logon type, processes are empty.

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  6. Bug in Security and Audit Tile

    Security and Audit Tile bug:

    Both metrics read Active Computers in the last 24 hours.

    The 2nd metric should actually read:
    Active Accounts in the last 24 hours

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  7. security and audit Tile - inaccessible => bug?

    I added this solution to my OMS portal, I can now see it in the main dashboard, however, clicking on it does nothing... (?).

    I was able to get into it via Solution Gallery > choosing it -> View.

    I checked that on IE 11 and Edge browsers.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  8. EvenSourceName is not handled right

    When I use the following query:
    * SourceSystem=AzureStorage | Measure count() by EventSourceName
    I get strange result. Instead of getting One result with the following value Microsoft-Windows-Security-Auditing I get four results:
    Microsoft
    Security
    Windows
    Auditing.
    Seems dash ("-") is not handled correctly.
    Attaching screenshot

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  9. DATE(s) on charts - timeline not just hours

    DATE(s) for any chart displayed e.g. use the X axle ...recently some charts were changed to display hours of e.g. security events, logins etc. - if I need to show this info to management or client and want to capture a screenshot - the chart without the date(s) is questionable, does not show history, cannot be used to support my monitoring/ auditing reports...

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base