On-board Azure Sentinel Preview
In this quickstart you will learn how to on-board Azure Sentinel.
To on-board Azure Sentinel, you first need to connect to your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel.
After you connect your data sources, choose from a gallery of expertly created dashboards that surface insights based on your data. These dashboards can be easily customized to your needs.
If you don’t have an Azure subscription, create a free account before you begin.
Log Analytics workspace. Learn how to create a Log Analytics workspace
Contributor permissions to your tenant to enable Azure Sentinel
Tenant global or security admin permissions
Go into the Azure portal.
Make sure that the subscription in which Azure Sentinel is created, is selected.
Search for Azure Sentinel.
Select the workspace you want to use or create a new one. You can run Azure Sentinel on more than one workspace, but the data is isolated to a single workspace.
- Workspace location It's important to understand that all the data you stream to Azure Sentinel is stored in the geographic location of the workspace you selected.
- Default workspaces created by Azure Security Center will not appear in the list; you can't install Azure Sentinel on them.
- Azure Sentinel can run on workspaces that are deployed in any of the following regions: Australia Southeast, Canada Central, Central India, East US, East US 2 EUAP (Canary), Japan East, Southeast Asia, UK South, West Europe, West US 2.
Click Add Azure Sentinel.
Connect data sources
Azure Sentinel creates the connection to services and apps by connecting to the service and forwarding the events and logs to Azure Sentinel. For machines and virtual machines, you can install the Azure Sentinel agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel utilizes a Linux Syslog server. The agent is installed on it and from which the agent collects the log files and forwards them to Azure Sentinel.
- Click Data collection.
- There is a tile for each data source you can connect.
For example, click Azure Active Directory. If you connect this data source, you stream all the logs from Azure AD into Azure Sentinel. You can select what type of logs you wan to get - sign-in logs and/or audit logs.
At the bottom, Azure Sentinel provides recommendations for which dashboards you should install for each connector so you can immediately get interesting insights across your data.
Follow the installation instructions or refer to the relevant connection guide for more information. For information about data connectors, see Connect Microsoft services.
After your data sources are connected, your data starts streaming into Azure Sentinel and is ready for you to start working with. You can view the logs in the built-in dashboards and start building queries in Log Analytics to investigate the data.
In this document, you learned about connecting data sources to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Stream data from Common Error Format appliances into Azure Sentinel.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.