Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Sentinel

Do you have an idea or suggestion based on your experience with Azure Sentinel? We would love to hear it! 

Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure Sentinel. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Sentinel, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.
  1. Pull logs from AWS S3

    Pull (and parse) custom logs from an AWS S3 bucket.
    There is a whole ecosystem of exchanging log data like that. Access should be governed by an AWS IAM Role and the logs should be json files in gzip archives.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Connector Automation

    Some connectors require that you periodically check their connector page to see if any new subscriptions have been created and then the admin must manually connect those subscriptions (Ex: Azure Activity or Azure Security Center). If there was a way to say "Enable this connector for all subscriptions (current and future) under this Management Group" or even just a blanket "Enable this connector (current and future) wherever I'm authorized to" that would reduce the amount of time that Security Analysts/Engineers would have to focus making sure that they have the appropriate coverage and allow them to do stuff like hunting.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Analytics and Connector for SonicWall

    Currently connected via CEF and CommonSecurityLog but but the mapping could be better and converting Cisco and PaloAlto Analytic Rules is very challenging if even possible.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Collect events from forwarded events

    We have a pretty robust event forwarding infrastructure in place. All of our relevant events are pulled into a central forwarder group for ingestion, including everything important from DCs. Obviously we don't install any agents on domain controllers. The sentinel connector only seems to work on the security events log on the local computer though. That's fine for random servers, but useless for high value servers where monitoring is most needed.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Sentinel Rules Fields Aggregation and CustomEntities

    Scheduled rules field aggregation and more customentinties support:

    For example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".

    This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional…

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. 6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Additional entity request

    It would be nice to have a filename entity for things like when MCAS reports a Stale externally shared file. While the filename shows up in the description, you do not see that when performing an investigation.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ubiquity Connector

    Need a connector for ubiquity usg, switches and APs

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow bookmarks in incidents detail page to show information

    Right now the bookmark listing in an Incident's full details page just show the bookmarks making them not very useful. Add the ability to view the bookmark as if you were looking at the Bookmarks tab in the Hunting page.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Azure Sentinel

Categories

Feedback and Knowledge Base