Quickstart: On-board Microsoft Sentinel
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
In this quickstart, learn how to on-board Microsoft Sentinel. To on-board Microsoft Sentinel, you first need to enable Microsoft Sentinel, and then connect your data sources.
Microsoft Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Defender for Cloud Apps, security alerts from Microsoft Defender for Cloud, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Microsoft Sentinel.
After you connect your data sources, choose from a gallery of expertly created workbooks that surface insights based on your data. These workbooks can be easily customized to your needs.
Active Azure Subscription. If you don't have one, create a free account before you begin.
By default, you may have a default of 30 days retention in the Log Analytics workspace used for Microsoft Sentinel. To make sure that you can use the full extent of Microsoft Sentinel functionality, raise this to 90 days. For more information, see Change the retention period.
To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides.
To use Microsoft Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
Additional permissions may be needed to connect specific data sources.
For more information, see Pre-deployment activities and prerequisites for deploying Microsoft Sentinel.
Geographical availability and data residency
Microsoft Sentinel can run on workspaces in most regions where Log Analytics is generally available. Regions where Log Analytics is newly available may take some time to onboard the Microsoft Sentinel service.
Single-region data residency is currently provided only in the Southeast Asia (Singapore) region of the Asia Pacific geography, and in the Brazil South (Sao Paulo State) region of the Brazil geography.
- By enabling certain rules that make use of the machine learning (ML) engine, you give Microsoft permission to copy relevant ingested data outside of your Microsoft Sentinel workspace's geography as may be required by the machine learning engine to process these rules.
Sign in to the Azure portal. Make sure that the subscription in which Microsoft Sentinel is created is selected.
Search for and select Microsoft Sentinel.
Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace.
- Default workspaces created by Microsoft Defender for Cloud will not appear in the list; you can't install Microsoft Sentinel on them.
Once deployed on a workspace, Microsoft Sentinel does not currently support the moving of that workspace to other resource groups or subscriptions.
If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.
Select Add Microsoft Sentinel.
Connect data sources
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Microsoft Sentinel. For Firewalls and proxies, Microsoft Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Microsoft Sentinel.
From the main menu, select Data connectors. This opens the data connectors gallery.
The gallery is a list of all the data sources you can connect. Select a data source and then the Open connector page button.
The connector page shows instructions for configuring the connector, and any additional instructions that may be necessary.
For example, if you select the Azure Active Directory data source, which lets you stream logs from Azure AD into Microsoft Sentinel, you can select what type of logs you want to get - sign-in logs and/or audit logs.
Follow the installation instructions or refer to the relevant connection guide for more information. For information about data connectors, see Microsoft Sentinel data connectors.
The Next steps tab on the connector page shows relevant built-in workbooks, sample queries, and analytics rule templates that accompany the data connector. You can use these as-is or modify them - either way you can immediately get interesting insights across your data.
After your data sources are connected, your data starts streaming into Microsoft Sentinel and is ready for you to start working with. You can view the logs in the built-in workbooks and start building queries in Log Analytics to investigate the data.
For more information, see Data collection best practices.
For more information, see:
Alternate deployment / management options: