Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Create a logic app trigger "When an Azure Sentinel Incident is Created"

    It would be great to have a trigger in the Azure Sentinel connector when a new Azure Sentinel incident is created.
    This way we could integrate and automate with the other Microsoft security products (MCAS,WDATP,Azure ATP, etc.) and also with an ITSM tool like Service Now.
    The idea is to have a playbook run automatically whenever a new incident is created in Sentinel to:
    - create an incident in Service Now
    - send an email notification
    further we could expand to automatically close the SNOW incident and the corresponding alert in whichever product (MCAS,WDATP, etc.) when the Azure Sentinel incident's…

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  7 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. kusto for incidents information

    I want incident information, including comments and status, be able to retrieved by kusto query in Sentinel.
    If this is possible I would be able to analyze the incident investigation.
    Thus, I can understand how long you need for what types of incident, and FP rate for certain incidents.
    Moreover when new alert happens, you could check similar incidents investigation data and more smoothly investigate for the new alert.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Full text search for incidents information

    Currently, you need to check each incidents to see comments, however it would be more convenient if you could search comments from the incident list page.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. including teams audit log through O365 Connector

    Now O365 Connector only transfer ExO/SPO/Ondrive logs.
    I hope also Teams/SfBO logs in this connector.

    I found below great article, It works fine. However it require a lot of money..

    https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add a connector for Carbon Black.

    Carbon Black is a popular end point security tool where a native connector would be very welcomed.

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Connector Automation

    Some connectors require that you periodically check their connector page to see if any new subscriptions have been created and then the admin must manually connect those subscriptions (Ex: Azure Activity or Azure Security Center). If there was a way to say "Enable this connector for all subscriptions (current and future) under this Management Group" or even just a blanket "Enable this connector (current and future) wherever I'm authorized to" that would reduce the amount of time that Security Analysts/Engineers would have to focus making sure that they have the appropriate coverage and allow them to do stuff like hunting.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. View incidents assigned to me only

    Hello, it would be nice to be able to filter the Owner column in Incidents so each SOC member could view only what was assigned to them. Right now I can only sort that column. Is this something in the roadmap or are there other ways people can be notified as soon as an incident is assigned to them?

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow for selection of playbooks to multiple rules at the same time

    When i have a playbook that applies to all rules, such as email incident notification, currently I have to open each rule individually in the portal and select the playbook. I should be able to select the playbook and associate it with as many selected (or all) rules as I want in one operation.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Integration with M365 ATP & EOP

    It will be better if it is integrated with M365 ATP & EOP previously O 365 ATP so that we can get the data & reports here in single place

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable out of box alert in case any data source stop sending logs

    Generate an alert in case a data source stop sending logs. Supporting the syslog and data source where mma agent is not installed

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Linking Sophos Endpoint Protection With Azure Sentinel

    New data connector to link Sophos Endpoint Protection logs with Azure sentinel.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Link to Incident in Playbooks

    We currently use Playbooks to send email notifications and/or create incidents in our ITSM system, but the details are sparse that are sent and I can not link directly to the Incident detail. The Incident URL (Case id) is available in the Incident Full Details blade, but not available to be added to the Playbooks.

    Incident Link Example:

    https://portal.azure.com/#asset/MicrosoftAzureSecurity_Insights/Incident//subscriptions/[Subscription]/resourceGroups/[resourcegroup]/providers/Microsoft.OperationalInsights/workspaces/[workspace]/providers/Microsoft.SecurityInsights/Cases/[Case id]

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure Sentinel Incidents in Log Analytics

    Is there a table that we can query Log Analytics for Sentinel Incidents ?

    It could be very useful for history reasons and actions

    Thanks

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Netflow ingestion

    Direct ingestion of netflow data would be awfully nice.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Upgrade the MDATP Connector

    Currently the MDATP Connector feels exceptionally limited for what should be a first class first party experience.


    1. We should be able to use the Streaming API with Sentinel

    2. Alerts that are duplicated into Sentinel should include additional details that are available natively in the MDATP portal.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Create high fidelity incidents based on Application Gateway WAF logs

    Currently App Gateway WAF logs are viewable in workbooks but the logs should be aggregated, analyzed and made in to high fidelity Incidents so they can be actioned by the AppDev, CSIRT teams.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Tagging for the Servers

    Can we have tagging enabled for the servers that are sending logs to the sentinel in order to identify to which critical server belongs or IT group belongs to

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Analytics and Connector for SonicWall

    Currently connected via CEF and CommonSecurityLog but but the mapping could be better and converting Cisco and PaloAlto Analytic Rules is very challenging if even possible.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Sentinel Rules Fields Aggregation and CustomEntities

    Scheduled rules field aggregation and more customentinties support:

    For example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".

    This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Connector for Windows Defender

    Create a Windows Defender connector for Azure sentinel.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base