One of my customers build Iot Solution based on multiple Azure Services (web Apps, service fabric, sql, iot hub, service bus, application insights).
We started using OMS as a single point of monitoring. OMS covering almost all services from our set, except of IoT... it's a gap in a our solution, because we must use big azure portal to initial investigation.

Please, add native support for IoT Hub and Service Bus as a solution to OMS.

If we need more details, please contact with me

It would be welcomed to see a possibility to configure user permissions on a solution level. Currently if we allow users to an OMS workspace they will see every solution and every data and every log, which is not preferred.

Hi,

I am working on deployment of a new site. We are planning for Azure Security Center(ASC) implementation. But we do have SIEM(ArcSight) solution already in place for an older site. Now my question is do I really need to send those Azure Security Center (New Site) logs to already existing (Old Site) SIEM ArcSight? Or Azure Security Center alone capable as a primary SIEM solution?

P.S.: The reason I am asking this because integrating Azure Security Center logs with ArcSight will add extra cost such us (Connector, Extra GB license, Increasing EPS etc. etc.).

Breadcrumb style navigation is not fully implemented. It would be great to be able to go back from log search to the solution from where I got there. For example I select DNS analytics solution, click on any of the section, and if I choose to see the exact entry it takes me to the log search window from where I cannot go back, unless I use browser navigation.

Expose OMS REST API to post ticket information by custom ITSM implementations who don't support or provide REST APIs to pull ticket information through querying at regular intervals (example: every 15 minutes).

We already log in UTC timezone on our machines, but the monitoring agent thinks it is in local time so it converts it.
It would be great to have an option to switch between local and utc time when we are setting the delimiters for the logs

When accessing Service Map data in the portal, it doesnt allow to directly jump to a computer or machine group.

When calling Service Maps from external tools, it would be great to directly jump to a particular machine for diagnosis.

Those links could be pinned to the azure dashboard or simply saved as a favourite on the webbrowser.

Make the values for signature-ou-of-date etc. customizable. The default 14 days is way to far in the past.

Signature out of date devices are devices with signature older than 14 days.

Import Application specific logs from Blob Storage or Table entries into Log Analytics for Azure Functions

Table view only displays the first column of multiple groupings. Example:
Type:W3CIISLog | measure sum(TimeTaken) as TotalTime by sSiteName, csUriStem
Click Table view.
The column sSiteName shows up in Table view but csUriStem does not.

It would be nice to receive MessageTrace Logs from O365 into OMS so that we could be more proactive in seeing compromised accounts. This would allow us to be alerted say on a user that is sending 100 messages of the same subject out.

The Date facet in the log query screen seems to apply inconsistently - if I specificy the timeframe I want to query it may or may not override my query and use it's set default range
e.g. I use TimeGenerated>NOW-30DAYS in my query, but as I have NOT adjusted the Date facet it restricts my results to the "Data based on the last 1 day" - which is what the Date facet is set to by default for each new query
It would be good if Date filter could be turned off for queries

In order to add to the Network Monitoring piece it would be useful to also allow collection of Netflow logs for analysis and visualization

I want to get a graphical overview of the occurence of some event and I want to do so in a 5 minute interval. That search could fx be
Type=Error_CL | measure count() interval 5minute
The event occurs much less often than on a 5 minute interval, so I expect the graph to go to 0 most of the time but it doesn't.
To be explicit, I expect:
No graph until first event.
No graph beyond last event.
Graph in between first and last event is 0 when there are no events - not interpolated.
See attachment.

For the main OMS dashboard, we need the ability for each individual tile to have its own "time duration" for graphs & charts. We have some tiles that need to show the last 24 hours, and some that need to show the last 7 days

The O365 pack gets logs of file sharing operations, and the user who shared, but the UserSharedWith is always blank. This is accessible in O365 audit logs

Extend the OMS Extend keyword to permit mapping of a field value such as Windows EventID to a business friendly term. Example:

Type=SecurityEvent EventID IN {4728,4729} | Extend if(EventID=4728,"ADD","REMOVE")

Please, enable capability to apply a single custom field to more CL. Or, capability to create a Sub-CL

Need to create custom fields by standard delimiters (i.e. | , ;)