On-board Azure Sentinel Preview
In this quickstart you will learn how to on-board Azure Sentinel.
To on-board Azure Sentinel, you first need to enable Azure Sentinel, and then connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel.
After you connect your data sources, choose from a gallery of expertly created dashboards that surface insights based on your data. These dashboards can be easily customized to your needs.
Active Azure Subscription, if you don't have one, create a free account before you begin.
Log Analytics workspace. Learn how to create a Log Analytics workspace
To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides.
To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to
Additional permissions may be needed to connect specific data sources
Go into the Azure portal.
Make sure that the subscription in which Azure Sentinel is created, is selected.
Search for Azure Sentinel.
Select the workspace you want to use or create a new one. You can run Azure Sentinel on more than one workspace, but the data is isolated to a single workspace.
- Workspace location It's important to understand that all the data you stream to Azure Sentinel is stored in the geographic location of the workspace you selected.
- Default workspaces created by Azure Security Center will not appear in the list; you can't install Azure Sentinel on them.
- Azure Sentinel can run on workspaces that are deployed in any of the following regions: Australia Southeast, Canada Central, Central India, East US, East US 2 EUAP (Canary), Japan East, Southeast Asia, UK South, West Europe, West US 2.
Click Add Azure Sentinel.
Connect data sources
Azure Sentinel creates the connection to services and apps by connecting to the service and forwarding the events and logs to Azure Sentinel. For machines and virtual machines, you can install the Azure Sentinel agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel utilizes a Linux Syslog server. The agent is installed on it and from which the agent collects the log files and forwards them to Azure Sentinel.
- Click Data collection.
- There is a tile for each data source you can connect.
For example, click Azure Active Directory. If you connect this data source, you stream all the logs from Azure AD into Azure Sentinel. You can select what type of logs you wan to get - sign-in logs and/or audit logs.
At the bottom, Azure Sentinel provides recommendations for which dashboards you should install for each connector so you can immediately get interesting insights across your data.
Follow the installation instructions or refer to the relevant connection guide for more information. For information about data connectors, see Connect Microsoft services.
After your data sources are connected, your data starts streaming into Azure Sentinel and is ready for you to start working with. You can view the logs in the built-in dashboards and start building queries in Log Analytics to investigate the data.
In this document, you learned about connecting data sources to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Stream data from Common Error Format appliances into Azure Sentinel.