Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Single pane of glass

    Sentinel should enable the aggregation of ASC, WDATP, CloudApp Security and all other sources of information that are Azure / O365 native - this is required for Incident Responders and Threat Hunters to do our job

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Make Sentinel support multiple tenants and directories

    As for now, Sentinel only supports a single tenant (and multiple subscriptions, as long as they belong to the same tenant).

    If Sentinel could support multiple tenants, then we can throw out our existing Q-Radar and support multiple organizations from one console, instead of having one console for each organization.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Could we have an Umbrella connector please.

    Getting logs from Cisco Umbrella would be great. They do allow outputting of logs to an AWS S3 instance and I believe they have an API as well.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Yara rules

    Sentinel should adopt Yara rules support to enable industry collaboration and improvement

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  5. Integration with M365 ATP & EOP

    It will be better if it is integrated with M365 ATP & EOP previously O 365 ATP so that we can get the data & reports here in single place

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Automatic execution of Threat Hunting rules

    We love threat hunting! but the fact that we can't simply automate them from the dashboard is incredibly complicated. There should be an option to "turn this rule into an automatic alert"

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Pull logs from AWS S3

    Pull (and parse) custom logs from an AWS S3 bucket.
    There is a whole ecosystem of exchanging log data like that. Access should be governed by an AWS IAM Role and the logs should be json files in gzip archives.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Pull API - data connector

    3rd party cloud providers that support pull log files can be integrated with Azure Sentinel.
    Syslog is not an option that 100% covers our needs for cloud-era.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add a connector for Carbon Black.

    Carbon Black is a popular end point security tool where a native connector would be very welcomed.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. DNS Connectors

    Upon enabling the DNS connector it only sends particular event logs up to Sentinel. Is/there should be a way to customise the logs that the connectors capture, or further information on how they work and the logs they are setup to send to Sentinel by default.

    Please assist with getting DNS analytical logs for DNS onto Sentinel.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Connector for Windows Defender

    Create a Windows Defender connector for Azure sentinel.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Can you please add Juniper SRX Firewalls as a connected data source for Azure Sentinel?

    Can you please add Juniper Firewalls as a connected data source?

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add TargetUser and TargetGroup from the SharePoint Sharing Schema to the Office 365 Data Connector

    The vital information TargetUserOrGroupType and TargetUserOrGroupName from the SharePoint Sharing schema referenced in the Office 365 Audit Logs here:

    https://docs.microsoft.com/en-us/office365/securitycompliance/use-sharing-auditing

    is missing from the data ingested by the Azure Sentinel Office 365 Data connector.

    The result is key information whom the information was shared with is missing and absent from Azure Sentinel and I am unable to determine if the information was shared with a Guest identity or a Member identity.

    Please consider updating the Data Connector to include this valuable activity information to assist with Data ex-filtration analysis.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Sigma support

    Sentinel should adopt Sigma standard for rules to enable industry collaboration

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Bulk deployment of rules

    I'd like to be able to deploy 1 use-case / rule against multiple workspaces simultaneously. This would help MSSPs that are trying to deploy new logic to multiple customers.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Manually create an incident

    Sometimes we need to trigger an incident manually, to then "pull" events into it - not all incidents are automatically created by an alert.

    It would be great to have the ability to manually create an incident and "add" / "remove" notable events by hand / by query (as well as events from other non-Azure data sources)

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Updating resolution records from Sentinel to MCAS, ATP

    When an alert has been resolved in Sentinel, it has to be resolved in the respective source from where the alert is triggered(MCAS,ATP), or vice versa. As of now, we do not have that option. If we add an additional step of sending the records to SNOW, the alert needs to be closed in 3 places(SNOW, Sentinel and the Source)

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow for selection of playbooks to multiple rules at the same time

    When i have a playbook that applies to all rules, such as email incident notification, currently I have to open each rule individually in the portal and select the playbook. I should be able to select the playbook and associate it with as many selected (or all) rules as I want in one operation.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Create a Single Search field to search all of the logs.

    Search all logs at the same time with normal human language instead of a query language. Similar to how Bing searches the internet, have a Bing powered search the searches all of Azure Sentinel to find information on a user, term, or machine.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. View incidents assigned to me only

    Hello, it would be nice to be able to filter the Owner column in Incidents so each SOC member could view only what was assigned to them. Right now I can only sort that column. Is this something in the roadmap or are there other ways people can be notified as soon as an incident is assigned to them?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base