Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Collect Azure Active Directory Security logs with OMS

    You should be able to see reports regarding "Azure Active Directory" Security logs. (sign-in/audit/...)

    There already is a Azure possibility to see Azure Active Directory Reports. It would be nice to have this data in OMS.

    157 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  6 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
    • Expand Data Retention for Security and Audit IP

      Provide to ability to expand the data retention to 3-8 years. Some customers do have compliance rules to save their security related data for 8 years. When this could be accomplished we move our ACS implementations on premise to OpInsights.

      148 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        7 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
      • software inventory

        I'd like to be able to perform full software inventory on servers and be able to identify non-current versions of programs installed, i.e. JAVA, Adobe Reader etc.

        Management Suite should be able to push the newest versions to servers.

        44 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
        • Being able to collect logs from OSX clients. All logs would be great; I'm specifically interested in security related events.

          Natively (no agent) send Syslog traffic to a collection point and have it upload the logs to Log Analytics.
          Use an agent to install on OSX that can send OSX logs to a collection point or direct to Log Analytics.
          I’m specifically interested in security related logs from Mac client machines on Enterprise networks. That said if were able to collect logs it shouldn’t be limited to security information. It would be nice to be able to see patch level, ability to collect all logs, performance metrics, etc.

          38 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
          • Syslog support by Windows agent

            I want to collect Syslog in some Windows, no-Linux environment.
            Syslog collect from NAS, Router, Firewall, and send to Log Analytics.
            and There are no Linux professional.

            17 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              3 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
            • Key vault

              Key Vault integration or other solution so that the customer ownes the encryption key.

              10 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
              • Resource Locks vs. Update Deployments

                An Azure 'No Delete' Resource Lock currently prevents addition or configuration of new OMS update deployments; generating an unspecified error. See Microsoft support case 117080416146171. Understanding is that in the background, creation of a new Update Deployment performs a delete action somewhere and then will bomb out and generate an error such as "This update run could not be scheduled. Please check the computer names, and try again later."

                Have been told that this is not a bug, but a 'feature', so entering it here as a suggested change.

                7 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                • "Eicar" test functionality

                  A similar test as the "Eicar" so we can show customers a demo of Threat Intelligence without introducing any risks.

                  7 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                  • Fix Windows2016 baseline detection

                    I stumble on some error in the detection. For example :

                    OSName,RuleSetting,ExpectedResult,ActualResult
                    Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
                    Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
                    Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
                    Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
                    Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
                    Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"

                    These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"

                    Or do I need to make a support call for this?

                    6 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                    • Incorrect CCE-38444-6 Baseline Check

                      When reviewing Azure Log Analytics Baselines and review CCE-38444-6 it always shows as failing the audit

                      Digging deeper it looks like it is Expecting a Result of Disabled when actually Disabled is 0 due to this registry key being a DWORD value and Not STRING

                      See Screenshot Below

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                      • Make membername field facetable

                        I am trying to search and find out security group changes for a user. The field I need is greyed out.

                        The query I am running is Type=SecurityEvent EventID=4728 OR EventID=4729
                        and I want to drill down into the MemberName field

                        More info can be found here
                        https://social.msdn.microsoft.com/Forums/azure/en-US/22a19ec3-a273-479a-8b7d-7aeb902d494b/fields-greyed-out?forum=opinsights

                        Why is it unavailable, and can it be made available? it's a very useful security query.

                        5 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                        • Azure Security Center Recommendations Log Analytics Query syntax

                          Could someone point me in the direction of a resource that provides a mapping of the recommendations in Security Center (SC) with the associated Log Analytics query syntax? For example SC lists all of the machines that are not compliant with the recommendations in list below. I need to extract these results out into a spreadsheet and cannot see how to do this other than maybe running a query in Log analytics? If so does anyone know of a listing of these queries?

                          Designate more than one owner on your subscription (Preview)
                          Enable MFA for accounts with owner permissions on…

                          4 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                          • Log Analytics SecurityEvents - Add System data elements such as Keywords

                            Currently, the SecurityEvents table is missing the System data elements from the native Windows Security Log events. Included in the System data elements is the Keywords data item which indicates whether a specific event is an Audit Success or Audit Failure. This significantly reduces the usefulness of LogAnaylytics to track Security Audit events.

                            4 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                            • Antimalware assessment - Sophos is not recognised

                              The Antimalware Assessment currently does not cover systems which are protected by Sophos AV. Can we get this addressed ?

                              4 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                              • SQL Extended Events

                                Read SQL Extended Audit...
                                The issue is that DB Admin needs a means to identify DDL changes to ANY database in our environments that is not intrusive… The issue for us is that we have given ALTER schema to development team for changing their stored procedures however that permission allows the user/login to make other changes to existing objects ….

                                So…
                                We can use extended events or audit to capture object changes etc. on SQL servers. Extended events are much more definable and write to a defined file when it occurs. I believe that MS has indicated that it favors…

                                4 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                • Bitlocker

                                  Bitlocker
                                  - Computers that support TPM
                                  - Bitlocker Status
                                  - Compliance Status

                                  4 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Is there a way to ignore recommendations not in either of the Assessment solutions?

                                    There is functionality in place today to ignore recommendations for SQL and AD assessments. Can this be extended to the Security and Audit portion and the other solutions?

                                    3 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                    • EMS

                                      You need to fully integrate Azure ems into OMS. Azure is viewed as the identity management solution. you need to be 100% aligned with this . Currently you are not and this needs to be resolved and integrated with OMS workspace

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                      • MessageTrace

                                        It would be nice to receive MessageTrace Logs from O365 into OMS so that we could be more proactive in seeing compromised accounts. This would allow us to be alerted say on a user that is sending 100 messages of the same subject out.

                                        3 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Windows file audit event columns - Add more data from the raw XML

                                          Please add more columns to EventIDs related to Windows file auditing. An example is the query Type=SecurityEvent EventID=4663. When the query is executed, lots of useful data is stuck in the EventData column, such as the SubjectUserName, ProcessID, ProcessName fields. Would be very nice to be able to search on these.

                                          2 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base