Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. dnat or network rule alert and/or search query

    It would be nice to be able to search if anyone create specifically a dnat rule using azure firewall . At the momemt it is only possible to create a Activity Log Alert for "Creates or updates an Azure Firewall" event , however it’s not limited to NAT Rule Collection only but creates activity logs if it falls under below criteria and you can create an alert on top of it. it’s a broader alert for any activity within the Firewall resource

    1 vote
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
    • Azure Security Center Recommendations Log Analytics Query syntax

      Could someone point me in the direction of a resource that provides a mapping of the recommendations in Security Center (SC) with the associated Log Analytics query syntax? For example SC lists all of the machines that are not compliant with the recommendations in list below. I need to extract these results out into a spreadsheet and cannot see how to do this other than maybe running a query in Log analytics? If so does anyone know of a listing of these queries?

      Designate more than one owner on your subscription (Preview)
      Enable MFA for accounts with owner permissions on…

      5 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
      • Syslog support by Windows agent

        I want to collect Syslog in some Windows, no-Linux environment.
        Syslog collect from NAS, Router, Firewall, and send to Log Analytics.
        and There are no Linux professional.

        20 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          3 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
        • Collect Azure Active Directory Security logs with OMS

          You should be able to see reports regarding "Azure Active Directory" Security logs. (sign-in/audit/...)

          There already is a Azure possibility to see Azure Active Directory Reports. It would be nice to have this data in OMS.

          158 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            planned  ·  6 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
          • Being able to collect logs from OSX clients. All logs would be great; I'm specifically interested in security related events.

            Natively (no agent) send Syslog traffic to a collection point and have it upload the logs to Log Analytics.
            Use an agent to install on OSX that can send OSX logs to a collection point or direct to Log Analytics.
            I’m specifically interested in security related logs from Mac client machines on Enterprise networks. That said if were able to collect logs it shouldn’t be limited to security information. It would be nice to be able to see patch level, ability to collect all logs, performance metrics, etc.

            41 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
            • Expand Data Retention for Security and Audit IP

              Provide to ability to expand the data retention to 3-8 years. Some customers do have compliance rules to save their security related data for 8 years. When this could be accomplished we move our ACS implementations on premise to OpInsights.

              148 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                7 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
              • Key vault

                Key Vault integration or other solution so that the customer ownes the encryption key.

                10 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                • Antimalware assessment - Sophos is not recognised

                  The Antimalware Assessment currently does not cover systems which are protected by Sophos AV. Can we get this addressed ?

                  4 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                  • Log Analytics SecurityEvents - Add System data elements such as Keywords

                    Currently, the SecurityEvents table is missing the System data elements from the native Windows Security Log events. Included in the System data elements is the Keywords data item which indicates whether a specific event is an Audit Success or Audit Failure. This significantly reduces the usefulness of LogAnaylytics to track Security Audit events.

                    4 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                    • Fix Windows2016 baseline detection

                      I stumble on some error in the detection. For example :

                      OSName,RuleSetting,ExpectedResult,ActualResult
                      Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
                      Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
                      Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
                      Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
                      Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
                      Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"

                      These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"

                      Or do I need to make a support call for this?

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                      • Resource Locks vs. Update Deployments

                        An Azure 'No Delete' Resource Lock currently prevents addition or configuration of new OMS update deployments; generating an unspecified error. See Microsoft support case 117080416146171. Understanding is that in the background, creation of a new Update Deployment performs a delete action somewhere and then will bomb out and generate an error such as "This update run could not be scheduled. Please check the computer names, and try again later."

                        Have been told that this is not a bug, but a 'feature', so entering it here as a suggested change.

                        7 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                        • MessageTrace

                          It would be nice to receive MessageTrace Logs from O365 into OMS so that we could be more proactive in seeing compromised accounts. This would allow us to be alerted say on a user that is sending 100 messages of the same subject out.

                          3 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                          • Windows file audit event columns - Add more data from the raw XML

                            Please add more columns to EventIDs related to Windows file auditing. An example is the query Type=SecurityEvent EventID=4663. When the query is executed, lots of useful data is stuck in the EventData column, such as the SubjectUserName, ProcessID, ProcessName fields. Would be very nice to be able to search on these.

                            2 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                            • Process Name of Alert "Distinct malicious IP addresses accessed"

                              I want to know the process name of the Alert "Distinct malicious IP addresses accessed", for do some protection.
                              If the process name is Outlook, I search related mail,
                              If the process name is Microsoft Edge, I search the url.

                              and I hope the url or host name of mailicious IP address.

                              2 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                              • Bitlocker

                                Bitlocker
                                - Computers that support TPM
                                - Bitlocker Status
                                - Compliance Status

                                4 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                • How To Configure Gmail SMTP Setup?

                                  Have a look on how gmail outgoing server setting can be configure in appropriate manner.
                                  Foremost thing to do is just have quick access on mail application configuration dashboard
                                  Moving forward, user is required to fill in relevant information related to Gmail email Smtp Settings
                                  Make sure smtp server name is type as smtp.gmail.com
                                  Enter username as gmail email address
                                  Accurate gmail password in password field
                                  SMTP server port as 465
                                  User is require to check authentication option
                                  Once done hit click on finish option
                                  Now user can enjoy email experience without any hassle. User need to know that there…

                                  2 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Get Splendid Solution for issue related to Gmail SMTP Outgoing Server

                                    Is user experience trouble in sending mails? If this is the issue, then user is require to dig in configuration setting of gmail outgoing server. SMTP is Simple Mail Transfer Protocol which help in quick delivery of mails. If the mails are not send in proper manner then it may happen that gmail smtp not working.What to do to solve this situation? To avoid this situation user is required to adopt some potential guidelines which can fix the issue in minimal time. http://www.gmailsupportchat.com/article/gmail-email-smtp-and-server-setting-configuration-support

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Incorrect CCE-38444-6 Baseline Check

                                      When reviewing Azure Log Analytics Baselines and review CCE-38444-6 it always shows as failing the audit

                                      Digging deeper it looks like it is Expecting a Result of Disabled when actually Disabled is 0 due to this registry key being a DWORD value and Not STRING

                                      See Screenshot Below

                                      6 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                      • "Eicar" test functionality

                                        A similar test as the "Eicar" so we can show customers a demo of Threat Intelligence without introducing any risks.

                                        7 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                        • predictive telemetry Azure ML and TDSP

                                          Connect your telemetry with Machine Learning and predictive environnement for detect typologies of events : configuration server, performance track, health events, audit gpo, sql events , audit, quality...

                                          1 vote
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base