Quickstart: On-board Microsoft Sentinel


Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

In this quickstart, learn how to on-board Microsoft Sentinel. To on-board Microsoft Sentinel, you first need to enable Microsoft Sentinel, and then connect your data sources.

Microsoft Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Defender for Cloud Apps, security alerts from Microsoft Defender for Cloud, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Microsoft Sentinel.

After you connect your data sources, choose from a gallery of expertly created workbooks that surface insights based on your data. These workbooks can be easily customized to your needs.


For information about the charges incurred when using Microsoft Sentinel, see Microsoft Sentinel pricing and Microsoft Sentinel costs and billing.

Global prerequisites

For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.

Geographical availability and data residency

  • Microsoft Sentinel can run on workspaces in most regions where Log Analytics is generally available. Regions where Log Analytics is newly available may take some time to onboard the Microsoft Sentinel service.

  • See Data residency in Azure for information on Geos and regions and on where customer data is stored.

  • Single-region data residency is currently provided only in the Southeast Asia (Singapore) region of the Asia Pacific geography, and in the Brazil South (Sao Paulo State) region of the Brazil geography.


    • By enabling certain rules that make use of the machine learning (ML) engine, you give Microsoft permission to copy relevant ingested data outside of your Microsoft Sentinel workspace's geography as may be required by the machine learning engine to process these rules.

Enable Microsoft Sentinel

  1. Sign in to the Azure portal. Make sure that the subscription in which Microsoft Sentinel is created is selected.

  2. Search for and select Microsoft Sentinel.

    Services search

  3. Select Add.

  4. Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace.

    Choose a workspace


    • Default workspaces created by Microsoft Defender for Cloud will not appear in the list; you can't install Microsoft Sentinel on them.


    • Once deployed on a workspace, Microsoft Sentinel does not currently support the moving of that workspace to other resource groups or subscriptions.

      If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.

  5. Select Add Microsoft Sentinel.

Connect data sources

Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Microsoft Sentinel. For Firewalls and proxies, Microsoft Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Microsoft Sentinel.

  1. From the main menu, select Data connectors. This opens the data connectors gallery.

  2. The gallery is a list of all the data sources you can connect. Select a data source and then the Open connector page button.

  3. The connector page shows instructions for configuring the connector, and any additional instructions that may be necessary.

    For example, if you select the Azure Active Directory data source, which lets you stream logs from Azure AD into Microsoft Sentinel, you can select what type of logs you want to get - sign-in logs and/or audit logs.
    Follow the installation instructions or refer to the relevant connection guide for more information. For information about data connectors, see Microsoft Sentinel data connectors.

  4. The Next steps tab on the connector page shows relevant built-in workbooks, sample queries, and analytics rule templates that accompany the data connector. You can use these as-is or modify them - either way you can immediately get interesting insights across your data.

After your data sources are connected, your data starts streaming into Microsoft Sentinel and is ready for you to start working with. You can view the logs in the built-in workbooks and start building queries in Log Analytics to investigate the data.

For more information, see Data collection best practices.

Next steps

For more information, see: