Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Allow queries to application insights using app('xxxx-***-***-***').traces

    Queries to Application Insights from Sentinel using app() function work in Log Analytics and the LOGS tab in Sentinel...but you cannot create an Sentinel alert with the same query.

    Example:
    app('xxxx-xxxx-***-***').traces
    | project-rename TimeGenerated = timestamp
    | where TimeGenerated > ago(90d)
    | where message contains "Invalid sign-in"
    | summarize count() by bin(TimeGenerated, 1h)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Integration with M365 ATP & EOP

    It will be better if it is integrated with M365 ATP & EOP previously O 365 ATP so that we can get the data & reports here in single place

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. MFA-SAS backend alerts

    I have a customer that is needed to get alerts when an MFA user is set to Blocked. I can't find it under the current functionality in Sentinel. Is it possible to add this alert, and if not here, maybe under Azure Monitor?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Data Connectors: Create filter for Connector status (Connected, Coming Soon, etc.)

    I may want to only see connectors that are enabled and thereby quickly spot in one view any unhealthy connector. Also I want to quickly filter on Coming Soon, not have to scroll the whole connector list.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Folders hierarchy and tags for the alerts

    Allow folders hierarchy and tags to save your alerts in an organized manner for future use

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Tabbed Browsing Support

    Tabbed browsing support for all links would be a very welcome enhancement.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. DNS Connectors

    Upon enabling the DNS connector it only sends particular event logs up to Sentinel. Is/there should be a way to customise the logs that the connectors capture, or further information on how they work and the logs they are setup to send to Sentinel by default.

    Please assist with getting DNS analytical logs for DNS onto Sentinel.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. How to configured the NSG for Syslog vm on Azure VM ?

    How to configured the NSG for Syslog vm on Azure VM ?
    If use Automatic deployment the syslog vm by default is NSG is null.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Create a Single Search field to search all of the logs.

    Search all logs at the same time with normal human language instead of a query language. Similar to how Bing searches the internet, have a Bing powered search the searches all of Azure Sentinel to find information on a user, term, or machine.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Data Connector Marketplace

    Sentinel should have data connectors for all Microsoft portals, especially Microsoft Compliance Manager that are free. Gold Partners should have the ability to add custom connectors for their clients for a fee.

    Georgeo Pulikkathara | Avanade

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Pull logs from AWS S3

    Pull (and parse) custom logs from an AWS S3 bucket.
    There is a whole ecosystem of exchanging log data like that. Access should be governed by an AWS IAM Role and the logs should be json files in gzip archives.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to ingest data from Sonicwall

    Please add Sonicwall to the list of Firewall vendors that Azure Sentinel can ingest. We need more than just Fortinet and others

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Could we have an Umbrella connector please.

    Getting logs from Cisco Umbrella would be great. They do allow outputting of logs to an AWS S3 instance and I believe they have an API as well.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Yara rules

    Sentinel should adopt Yara rules support to enable industry collaboration and improvement

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Sigma support

    Sentinel should adopt Sigma standard for rules to enable industry collaboration

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Bulk deployment of rules

    I'd like to be able to deploy 1 use-case / rule against multiple workspaces simultaneously. This would help MSSPs that are trying to deploy new logic to multiple customers.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Automatic execution of Threat Hunting rules

    We love threat hunting! but the fact that we can't simply automate them from the dashboard is incredibly complicated. There should be an option to "turn this rule into an automatic alert"

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Manually create an incident

    Sometimes we need to trigger an incident manually, to then "pull" events into it - not all incidents are automatically created by an alert.

    It would be great to have the ability to manually create an incident and "add" / "remove" notable events by hand / by query (as well as events from other non-Azure data sources)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Jira integration for investigations

    SOC teams need to have a good ticketing system to keep evidence (Screenshots, query results, IOCs, etc.) of each and every investigation they do. We use Jira, and we've had to do webhooks to do integration - but it is not smooth (the alert info submitted is poor). Better integration for automatic ticket creation, as well as the ability to aggregate various alerts into one ticket would be great.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Single pane of glass

    Sentinel should enable the aggregation of ASC, WDATP, CloudApp Security and all other sources of information that are Azure / O365 native - this is required for Incident Responders and Threat Hunters to do our job

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Azure Sentinel

Feedback and Knowledge Base