Quickstart: Onboard Microsoft Sentinel
In this quickstart, you enable Microsoft Sentinel, and then set up data connectors to monitor and protect your environment. After you connect your data sources using data connectors, you choose from a gallery of expertly created workbooks that surface insights based on your data. These workbooks can be easily customized to your needs.
Microsoft Sentinel comes with many connectors for Microsoft products, for example, the Microsoft 365 Defender service-to-service connector. You can also enable built-in connectors for non-Microsoft products, for example, Syslog or Common Event Format (CEF). Learn more about data connectors.
Active Azure Subscription. If you don't have one, create a free account before you begin.
You may have a default of 30 days retention in the Log Analytics workspace used for Microsoft Sentinel. To make sure that you can use all Microsoft Sentinel functionality and features, raise the retention to 90 days. Configure data retention and archive policies in Azure Monitor Logs.
To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides.
To use Microsoft Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.
You might need other permissions to connect specific data sources.
Geographical availability and data residency
Microsoft Sentinel can run on workspaces in most regions where Log Analytics is generally available. Regions where Log Analytics is newly available may take some time to onboard the Microsoft Sentinel service.
Single-region data residency is currently provided only in the Southeast Asia (Singapore) region of the Asia Pacific geography, and in the Brazil South (Sao Paulo State) region of the Brazil geography.
- By enabling certain rules that make use of the machine learning (ML) engine, you give Microsoft permission to copy relevant ingested data outside of your Microsoft Sentinel workspace's geography as may be required by the machine learning engine to process these rules.
Sign in to the Azure portal. Make sure that the subscription in which Microsoft Sentinel is created is selected.
Search for and select Microsoft Sentinel.
Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace. Note that default workspaces created by Microsoft Defender for Cloud are not shown in the list. You can't install Microsoft Sentinel on these workspaces.
Once deployed on a workspace, Microsoft Sentinel does not currently support the moving of that workspace to other resource groups or subscriptions.
If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.
Select Add Microsoft Sentinel.
Set up data connectors
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel.
- For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Microsoft Sentinel.
- For firewalls and proxies, Microsoft Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Microsoft Sentinel.
From the main menu, select Data connectors. This opens the data connectors gallery.
Select a data connector, and then select the Open connector page button.
The connector page shows instructions for configuring the connector, and any other instructions that may be necessary.
For example, if you select the Azure Active Directory data connector, which lets you stream logs from Azure AD into Microsoft Sentinel, you can select what type of logs you want to get - sign-in logs and/or audit logs.
Follow the installation instructions. To learn more, read the relevant connection guide or learn about Microsoft Sentinel data connectors.
The Next steps tab on the connector page shows relevant built-in workbooks, sample queries, and analytics rule templates that accompany the data connector. You can use these as-is or modify them - either way you can immediately get interesting insights across your data.
After you set up your data connectors, your data starts streaming into Microsoft Sentinel and is ready for you to start working with. You can view the logs in the built-in workbooks and start building queries in Log Analytics to investigate the data.
Review the data collection best practices.
For more information, see:
Alternate deployment / management options:
Submit and view feedback for