Quickstart: On-board Azure Sentinel
In this quickstart, learn how to on-board Azure Sentinel.
To on-board Azure Sentinel, you first need to enable Azure Sentinel, and then connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, Azure Defender alerts from Azure Security Center, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.
After you connect your data sources, choose from a gallery of expertly created workbooks that surface insights based on your data. These workbooks can be easily customized to your needs.
For information about the charges incurred when using Azure Sentinel, see Azure Sentinel pricing.
Active Azure Subscription, if you don't have one, create a free account before you begin.
To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides.
To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
Additional permissions may be needed to connect specific data sources.
Azure Sentinel is a paid service. For pricing information see About Azure Sentinel.
Geographical availability and data residency
Azure Sentinel can run on workspaces in most GA regions of Log Analytics except the China and Germany (Sovereign) regions. Sometimes New Log Analytics regions may take some time to onboard the Azure Sentinel service.
Data generated by Azure Sentinel, such as incidents, bookmarks, and analytics rules, may contain some customer data sourced from the customer's Log Analytics workspaces. This Azure Sentinel-generated data is saved in the geography or region listed in the following table, according to the geography or region in which the workspace is located:
Workspace geography/region Azure Sentinel-generated data geography/region United States
United Arab Emirates
United States Europe
Europe Australia Australia United Kingdom United Kingdom Canada Canada Japan Japan Southeast Asia (Singapore) Southeast Asia (Singapore)*
* There is no paired region for Southeast Asia.
- By enabling certain rules that make use of the machine learning (ML) engine, you give Microsoft permission to copy relevant ingested data outside of your Azure Sentinel workspace's geography as may be required by the machine learning engine to process these rules.
Sign in to the Azure portal. Make sure that the subscription in which Azure Sentinel is created is selected.
Search for and select Azure Sentinel.
Select the workspace you want to use or create a new one. You can run Azure Sentinel on more than one workspace, but the data is isolated to a single workspace.
- Default workspaces created by Azure Security Center will not appear in the list; you can't install Azure Sentinel on them.
Once deployed on a workspace, Azure Sentinel does not currently support the moving of that workspace to other resource groups or subscriptions.
If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.
Select Add Azure Sentinel.
Connect data sources
Azure Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Azure Sentinel. For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel.
From the main menu, select Data connectors. This opens the data connectors gallery.
The gallery is a list of all the data sources you can connect. Select a data source and then the Open connector page button.
The connector page shows instructions for configuring the connector, and any additional instructions that may be necessary.
For example, if you select the Azure Active Directory data source, which lets you stream logs from Azure AD into Azure Sentinel, you can select what type of logs you wan to get - sign-in logs and/or audit logs.
Follow the installation instructions or refer to the relevant connection guide for more information. For information about data connectors, see Connect Microsoft services.
The Next steps tab on the connector page shows relevant built-in workbooks, sample queries, and analytics rule templates that accompany the data connector. You can use these as-is or modify them - either way you can immediately get interesting insights across your data.
After your data sources are connected, your data starts streaming into Azure Sentinel and is ready for you to start working with. You can view the logs in the built-in workbooks and start building queries in Log Analytics to investigate the data.
In this document, you learned about onboarding and connecting data sources to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Stream data from Common Event Format appliances into Azure Sentinel.