Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Create a logic app trigger "When an Azure Sentinel Incident is Created"

    It would be great to have a trigger in the Azure Sentinel connector when a new Azure Sentinel incident is created.
    This way we could integrate and automate with the other Microsoft security products (MCAS,WDATP,Azure ATP, etc.) and also with an ITSM tool like Service Now.
    The idea is to have a playbook run automatically whenever a new incident is created in Sentinel to:
    - create an incident in Service Now
    - send an email notification
    further we could expand to automatically close the SNOW incident and the corresponding alert in whichever product (MCAS,WDATP, etc.) when the Azure Sentinel incident's…

    100 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  8 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Single pane of glass

    Sentinel should enable the aggregation of ASC, WDATP, CloudApp Security and all other sources of information that are Azure / O365 native - this is required for Incident Responders and Threat Hunters to do our job

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. kusto for incidents information

    I want incident information, including comments and status, be able to retrieved by kusto query in Sentinel.
    If this is possible I would be able to analyze the incident investigation.
    Thus, I can understand how long you need for what types of incident, and FP rate for certain incidents.
    Moreover when new alert happens, you could check similar incidents investigation data and more smoothly investigate for the new alert.

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Integration with M365 ATP & EOP

    It will be better if it is integrated with M365 ATP & EOP previously O 365 ATP so that we can get the data & reports here in single place

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Link to Incident in Playbooks

    We currently use Playbooks to send email notifications and/or create incidents in our ITSM system, but the details are sparse that are sent and I can not link directly to the Incident detail. The Incident URL (Case id) is available in the Incident Full Details blade, but not available to be added to the Playbooks.

    Incident Link Example:

    https://portal.azure.com/#asset/MicrosoftAzureSecurity_Insights/Incident//subscriptions/[Subscription]/resourceGroups/[resourcegroup]/providers/Microsoft.OperationalInsights/workspaces/[workspace]/providers/Microsoft.SecurityInsights/Cases/[Case id]

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add Playbook trigger for when an Azure Sentinel Incident changes

    Create a playbook trigger for when an Incident changes to support actions like Emailing a user when they are assigned a new Incident or Email management if an Incident's severity is lowered.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Improve Incident Link reference

    Under incidents there is now a new feature. As well as Investigation view and view log there is now an option called "Incident Link". This would be a good idea if it linked you to the incident. However it links you to the "view log" pane. Exactly the same result if you copy and paste the link or click "view log".

    To make this feature usable, could you please extract the href within entities containing the direct link to the alerting Microsoft product?

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Sentinel Workbook - API access

    Trying to build a workbook that shows the dynamic workload that a Sec Op member deals with various time ranges.

    Looks like I need to have access to Sentinel's Api if I want to chart the status of the alerts, the time it took for a member to acknowledge that alert from new to in progress and the average time to close.

    Is the api likely to be available soon? Or is there another option?

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Sentinel Logic App Action - Alert Get URLs

    Add functionality to get a list of URL entities from the incident. These could be passed in a playbook for additional scanning or update of URLs to a blacklist, MDATP Custom network policy, or 3rd party.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Log aggregation or filtering

    We need to be able to aggregate or filter logs.

    In many instances the firewalls generate a lot of logs that are not useful and we would like to aggregate same type of logs into one according to certain threshold and time frame. Also there should be an option to allow filtering of certain type of logs.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add Sentinel Actions - Assign incident to user

    In Logic App add Assign Incident/alert to user in Sentinel Actions ...and I can add send email to that user action after incident is assigned

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure security center alerts in Azure Sentinel does not show as individual alerts

    Azure security center alerts in Azure Sentinel does not show as individual alerts. Can we have an individual alert doisplayed in the incidents pane. The only alert we see is all the Security center alerts has been forwarded to Sentinel and we need to rill down to the events each time the alert is triggered and there is also a lot of delay as it is grouping the events

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Investigation UI

    A lot of times we want to investigate an user to determine which system and which web sites that he/she accessed.

    Sentinel only allows search in the logs but it doesn't give an easy graphical view unless there is already an alert.

    It would be great if we can just search for an user and select the user just like we do using investigation window and then Sentinel provide all the information graphically of all access this user performed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base