Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Assigning owner to incident - limit dropdown box of users to a subset (group)

    When assigning the owner of an incident in Sentinel we are seeing in the dropdown box all of the users in the tenant. It would be nice to be able to limit the users in the dropdown box to a subset (i.e. SOC members) of the users.

    42 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Linking Sophos Endpoint Protection With Azure Sentinel

    New data connector to link Sophos Endpoint Protection logs with Azure sentinel.

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add Playbook trigger for when an Azure Sentinel Incident changes

    Create a playbook trigger for when an Incident changes to support actions like Emailing a user when they are assigned a new Incident or Email management if an Incident's severity is lowered.

    24 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow for selection of playbooks with all rules types (not just scheduled)

    Currently playbooks can only be selected with scheduled rules. "Fusion", "ML Behavior Analytics" and "Microsoft Security (Preview)" rule types don't allow for an Automated Response. We need to get email notification of every type of incident, not just scheduled rule type.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Integrate python plugin for Kusto in Sentinel

    It would be very handy to have the python plugin for Kusto enabled within Sentinel. The python plugin for Kusto is documented here:

    https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/pythonplugin

    This plugin makes it possible to use python code within your Kusto query. This plugin is already available for Azure Data Explorer, but not for Sentinel:

    "Plugin 'python' is disabled"

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Netflow ingestion

    Direct ingestion of netflow data would be awfully nice.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Pull logs from AWS S3

    Pull (and parse) custom logs from an AWS S3 bucket.
    There is a whole ecosystem of exchanging log data like that. Access should be governed by an AWS IAM Role and the logs should be json files in gzip archives.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Collect Azure ATP health alert

    Currently Azure ATP data connector can only collect security alert and cannot collect health alert such as "Sensor stopped communicating"
    Therefore it would be really appreciated if health alert can be collected in Azure Sentinel.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Connector Automation

    Some connectors require that you periodically check their connector page to see if any new subscriptions have been created and then the admin must manually connect those subscriptions (Ex: Azure Activity or Azure Security Center). If there was a way to say "Enable this connector for all subscriptions (current and future) under this Management Group" or even just a blanket "Enable this connector (current and future) wherever I'm authorized to" that would reduce the amount of time that Security Analysts/Engineers would have to focus making sure that they have the appropriate coverage and allow them to do stuff like hunting.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  10. Create a Splunk-style Univeral Forwarder for On-premise Connectivity

    I think many people will have existing on-premise log collection infrastructures collecting data using standard methods such as NXLog and syslog. The current method to send syslog data into Sentinel requires building out even more infrastructure in the form of some Linux boxes. Please just make it easy with a universal forwarder that can be installed on existing Windows or Linux syslog infrastructure to send data as a file into Sentinel (as you can with Splunk Cloud)

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Exchange Online Trace Logs Connector

    Currently there are no Office 365 Exchange trace logs connector

    Current method is to access trace logs via REST URI (https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?)

    Upload the logs to sentinel via a logic app or another process and query via MessageTraceLogs_CL

    It would be useful for a connector to be available that directly pushes the Exchange trace logs to Sentinel so don't have to submit requests one by one on the Office 365 Security & Compliance center and wait for results.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  12. DNS Connectors

    Upon enabling the DNS connector it only sends particular event logs up to Sentinel. Is/there should be a way to customise the logs that the connectors capture, or further information on how they work and the logs they are setup to send to Sentinel by default.

    Please assist with getting DNS analytical logs for DNS onto Sentinel.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Analytics and Connector for SonicWall

    Currently connected via CEF and CommonSecurityLog but but the mapping could be better and converting Cisco and PaloAlto Analytic Rules is very challenging if even possible.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Custom incident statuses

    The possiblity to create custom incident statuses besides "new", "active" and "closed". E.g. "awaiting customer" for a managed SOC environment

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add TargetUser and TargetGroup from the SharePoint Sharing Schema to the Office 365 Data Connector

    The vital information TargetUserOrGroupType and TargetUserOrGroupName from the SharePoint Sharing schema referenced in the Office 365 Audit Logs here:

    https://docs.microsoft.com/en-us/office365/securitycompliance/use-sharing-auditing

    is missing from the data ingested by the Azure Sentinel Office 365 Data connector.

    The result is key information whom the information was shared with is missing and absent from Azure Sentinel and I am unable to determine if the information was shared with a Guest identity or a Member identity.

    Please consider updating the Data Connector to include this valuable activity information to assist with Data ex-filtration analysis.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  16. Possibilities of adding Entities as a filtering option in Sentinel Incidents page.

    Possibilities of adding Entities as a filtering option in Sentinel Incidents page.

    Currently we are having four filter option i.e, severity, status, product name and owner.

    Can if be possible to add entities as new filter option.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Improve Incident Link reference

    Under incidents there is now a new feature. As well as Investigation view and view log there is now an option called "Incident Link". This would be a good idea if it linked you to the incident. However it links you to the "view log" pane. Exactly the same result if you copy and paste the link or click "view log".

    To make this feature usable, could you please extract the href within entities containing the direct link to the alerting Microsoft product?

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow analytic rule lookback for more than 14 days

    Rules can only look back 14 days. I assume this is to prevent inefficient lookups. Limiting by days does not ensure an efficient query. I recommend finding a better mechanism to avoid inefficient rules. This seems like an arbitrary and unnecessary limitation.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Data Connector for Cisco AMP for Endpoints

    Create a Sentinel Data Connector to ingest Cisco AMP logs. Can be retrieved via REST API.

    https://developer.cisco.com/amp-for-endpoints/

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Want to download all the Incident highlighted in Azure Sentinel from portal itself

    Want to download all the incident in Azure portal only.
    I got suggestion for using API but with that the data is converted into JSON and for it to be converted to CSV we need external 3rd party online converter which is not a good facility.
    As that exposes our Incident data outside.
    Please help or suggest in here the possible alternative to achieve download within Azure Portal without fetching data out of Azure purview.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base