Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Collect Azure Active Directory Security logs with OMS

    You should be able to see reports regarding "Azure Active Directory" Security logs. (sign-in/audit/...)

    There already is a Azure possibility to see Azure Active Directory Reports. It would be nice to have this data in OMS.

    158 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  6 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  2. Expand Data Retention for Security and Audit IP

    Provide to ability to expand the data retention to 3-8 years. Some customers do have compliance rules to save their security related data for 8 years. When this could be accomplished we move our ACS implementations on premise to OpInsights.

    148 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  3. Being able to collect logs from OSX clients. All logs would be great; I'm specifically interested in security related events.

    Natively (no agent) send Syslog traffic to a collection point and have it upload the logs to Log Analytics.
    Use an agent to install on OSX that can send OSX logs to a collection point or direct to Log Analytics.
    I’m specifically interested in security related logs from Mac client machines on Enterprise networks. That said if were able to collect logs it shouldn’t be limited to security information. It would be nice to be able to see patch level, ability to collect all logs, performance metrics, etc.

    44 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  4. software inventory

    I'd like to be able to perform full software inventory on servers and be able to identify non-current versions of programs installed, i.e. JAVA, Adobe Reader etc.

    Management Suite should be able to push the newest versions to servers.

    44 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  5. Syslog support by Windows agent

    I want to collect Syslog in some Windows, no-Linux environment.
    Syslog collect from NAS, Router, Firewall, and send to Log Analytics.
    and There are no Linux professional.

    20 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  6. Key vault

    Key Vault integration or other solution so that the customer ownes the encryption key.

    10 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  7. Resource Locks vs. Update Deployments

    An Azure 'No Delete' Resource Lock currently prevents addition or configuration of new OMS update deployments; generating an unspecified error. See Microsoft support case 117080416146171. Understanding is that in the background, creation of a new Update Deployment performs a delete action somewhere and then will bomb out and generate an error such as "This update run could not be scheduled. Please check the computer names, and try again later."

    Have been told that this is not a bug, but a 'feature', so entering it here as a suggested change.

    7 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  8. "Eicar" test functionality

    A similar test as the "Eicar" so we can show customers a demo of Threat Intelligence without introducing any risks.

    7 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  9. Fix Windows2016 baseline detection

    I stumble on some error in the detection. For example :

    OSName,RuleSetting,ExpectedResult,ActualResult
    Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"

    These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"

    Or do I need to make a support call for this?

    6 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  10. Incorrect CCE-38444-6 Baseline Check

    When reviewing Azure Log Analytics Baselines and review CCE-38444-6 it always shows as failing the audit

    Digging deeper it looks like it is Expecting a Result of Disabled when actually Disabled is 0 due to this registry key being a DWORD value and Not STRING

    See Screenshot Below

    6 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Security Center Recommendations Log Analytics Query syntax

    Could someone point me in the direction of a resource that provides a mapping of the recommendations in Security Center (SC) with the associated Log Analytics query syntax? For example SC lists all of the machines that are not compliant with the recommendations in list below. I need to extract these results out into a spreadsheet and cannot see how to do this other than maybe running a query in Log analytics? If so does anyone know of a listing of these queries?

    Designate more than one owner on your subscription (Preview)
    Enable MFA for accounts with owner permissions on…

    5 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  12. Log Analytics SecurityEvents - Add System data elements such as Keywords

    Currently, the SecurityEvents table is missing the System data elements from the native Windows Security Log events. Included in the System data elements is the Keywords data item which indicates whether a specific event is an Audit Success or Audit Failure. This significantly reduces the usefulness of LogAnaylytics to track Security Audit events.

    5 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  13. Make membername field facetable

    I am trying to search and find out security group changes for a user. The field I need is greyed out.

    The query I am running is Type=SecurityEvent EventID=4728 OR EventID=4729
    and I want to drill down into the MemberName field

    More info can be found here
    https://social.msdn.microsoft.com/Forums/azure/en-US/22a19ec3-a273-479a-8b7d-7aeb902d494b/fields-greyed-out?forum=opinsights

    Why is it unavailable, and can it be made available? it's a very useful security query.

    5 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  14. Antimalware assessment - Sophos is not recognised

    The Antimalware Assessment currently does not cover systems which are protected by Sophos AV. Can we get this addressed ?

    4 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  15. SQL Extended Events

    Read SQL Extended Audit...
    The issue is that DB Admin needs a means to identify DDL changes to ANY database in our environments that is not intrusive… The issue for us is that we have given ALTER schema to development team for changing their stored procedures however that permission allows the user/login to make other changes to existing objects ….

    So…
    We can use extended events or audit to capture object changes etc. on SQL servers. Extended events are much more definable and write to a defined file when it occurs. I believe that MS has indicated that it favors…

    4 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  16. Bitlocker

    Bitlocker
    - Computers that support TPM
    - Bitlocker Status
    - Compliance Status

    4 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  17. Is there a way to ignore recommendations not in either of the Assessment solutions?

    There is functionality in place today to ignore recommendations for SQL and AD assessments. Can this be extended to the Security and Audit portion and the other solutions?

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  18. EMS

    You need to fully integrate Azure ems into OMS. Azure is viewed as the identity management solution. you need to be 100% aligned with this . Currently you are not and this needs to be resolved and integrated with OMS workspace

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  19. MessageTrace

    It would be nice to receive MessageTrace Logs from O365 into OMS so that we could be more proactive in seeing compromised accounts. This would allow us to be alerted say on a user that is sending 100 messages of the same subject out.

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
  20. Windows file audit event columns - Add more data from the raw XML

    Please add more columns to EventIDs related to Windows file auditing. An example is the query Type=SecurityEvent EventID=4663. When the query is executed, lots of useful data is stuck in the EventData column, such as the SubjectUserName, ProcessID, ProcessName fields. Would be very nice to be able to search on these.

    2 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base