Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Allow custom flexible Security events filtering

    Security solution now allows filter security events: https://blogs.technet.microsoft.com/msoms/2016/11/08/filter-the-security-events-the-oms-security-collects/

    It will be good if this solution also support a "Custom" option to allow customers to specify what events to collect (in addition to pre-configured lists). Also it will be good if the customer supplied filter supports wildcards and RegEx support.

    70 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  15 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Could we have an Umbrella connector please.

    Getting logs from Cisco Umbrella would be great. They do allow outputting of logs to an AWS S3 instance and I believe they have an API as well.

    44 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add a connector for Carbon Black.

    Carbon Black is a popular end point security tool where a native connector would be very welcomed.

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Full text search for incidents information

    Currently, you need to check each incidents to see comments, however it would be more convenient if you could search comments from the incident list page.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow for selection of playbooks to multiple rules at the same time

    When i have a playbook that applies to all rules, such as email incident notification, currently I have to open each rule individually in the portal and select the playbook. I should be able to select the playbook and associate it with as many selected (or all) rules as I want in one operation.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Assigning owner to incident - limit dropdown box of users to a subset (group)

    When assigning the owner of an incident in Sentinel we are seeing in the dropdown box all of the users in the tenant. It would be nice to be able to limit the users in the dropdown box to a subset (i.e. SOC members) of the users.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Pull logs from AWS S3

    Pull (and parse) custom logs from an AWS S3 bucket.
    There is a whole ecosystem of exchanging log data like that. Access should be governed by an AWS IAM Role and the logs should be json files in gzip archives.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Linking Sophos Endpoint Protection With Azure Sentinel

    New data connector to link Sophos Endpoint Protection logs with Azure sentinel.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add TargetUser and TargetGroup from the SharePoint Sharing Schema to the Office 365 Data Connector

    The vital information TargetUserOrGroupType and TargetUserOrGroupName from the SharePoint Sharing schema referenced in the Office 365 Audit Logs here:

    https://docs.microsoft.com/en-us/office365/securitycompliance/use-sharing-auditing

    is missing from the data ingested by the Azure Sentinel Office 365 Data connector.

    The result is key information whom the information was shared with is missing and absent from Azure Sentinel and I am unable to determine if the information was shared with a Guest identity or a Member identity.

    Please consider updating the Data Connector to include this valuable activity information to assist with Data ex-filtration analysis.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  10. DNS Connectors

    Upon enabling the DNS connector it only sends particular event logs up to Sentinel. Is/there should be a way to customise the logs that the connectors capture, or further information on how they work and the logs they are setup to send to Sentinel by default.

    Please assist with getting DNS analytical logs for DNS onto Sentinel.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure Sentinel Incidents in Log Analytics

    Is there a table that we can query Log Analytics for Sentinel Incidents ?

    It could be very useful for history reasons and actions

    Thanks

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Sentinel Rules Fields Aggregation and CustomEntities

    Scheduled rules field aggregation and more customentinties support:

    For example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".

    This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Upgrade the MDATP Connector

    Currently the MDATP Connector feels exceptionally limited for what should be a first class first party experience.


    1. We should be able to use the Streaming API with Sentinel

    2. Alerts that are duplicated into Sentinel should include additional details that are available natively in the MDATP portal.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to assign manual playbooks and hunter queries to incidents

    We should have the ability to link playbooks, queries, and notebooks to incidents (analytic rules) as reconditions for resolution. SOC L1-L2 users may not know which activities to run; let us list recommended activities.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base