Rediger

Del via


Quickstart: Onboard Microsoft Sentinel

In this quickstart, you'll enable Microsoft Sentinel and install a solution from the content hub. Then, you'll set up a data connector to start ingesting data into Microsoft Sentinel.

Microsoft Sentinel comes with many data connectors for Microsoft products such as the Microsoft Defender XDR service-to-service connector. You can also enable built-in connectors for non-Microsoft products such as Syslog or Common Event Format (CEF). For this quickstart, you'll use the Azure Activity data connector that's available in the Azure Activity solution for Microsoft Sentinel.

To onboard to Microsoft Sentinel by using the API, see the latest supported version of Sentinel Onboarding States.

Prerequisites

Enable Microsoft Sentinel

To get started, add Microsoft Sentinel to an existing workspace or create a new one.

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Sentinel.

    Screenshot of searching for a service while enabling Microsoft Sentinel.

  3. Select Create.

  4. Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace.

    Screenshot of choosing a workspace while enabling Microsoft Sentinel.

    • The default workspaces created by Microsoft Defender for Cloud aren't shown in the list. You can't install Microsoft Sentinel on these workspaces.
    • Once deployed on a workspace, Microsoft Sentinel doesn't support moving that workspace to another resource group or subscription.
  5. Select Add.

Install a solution from the content hub

The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors. For this quickstart, install the solution for Azure Activity.

  1. In Microsoft Sentinel, select Content hub.

  2. Find and select the Azure Activity solution.

    Screenshot of the content hub with the solution for Azure Activity selected.

  3. On the toolbar at the top of the page, select Install/Update.

Set up the data connector

Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.

  1. In Microsoft Sentinel, select Data connectors.

  2. Search for and select the Azure Activity data connector.

  3. In the details pane for the connector, select Open connector page.

  4. Review the instructions to configure the connector.

  5. Select Launch Azure Policy Assignment Wizard.

  6. On the Basics tab, set the Scope to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.

  7. Select the Parameters tab.

  8. Set the Primary Log Analytics workspace. This should be the workspace where Microsoft Sentinel is installed.

  9. Select Review + create and Create.

Generate activity data

Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.

  1. In Microsoft Sentinel, select Content hub.

  2. Find and select the Azure Activity solution.

  3. From the right-hand side pane, select Manage.

  4. Find and select the rule template Suspicious Resource deployment.

  5. Select Configuration.

  6. Select the rule and Create rule.

  7. On the General tab, change the Status to enabled. Leave the rest of the default values.

  8. Accept the defaults on the other tabs.

  9. On the Review and create tab, select Create.

View data ingested into Microsoft Sentinel

Now that you've enabled the Azure Activity data connector and generated some activity data let's view the activity data added to the workspace.

  1. In Microsoft Sentinel, select Data connectors.

  2. Search for and select the Azure Activity data connector.

  3. In the details pane for the connector, select Open connector page.

  4. Review the Status of the data connector. It should be Connected.

    Screenshot of data connector for Azure Activity with the status showing as connected.

  5. In the left-hand side pane above the chart, select Go to log analytics.

  6. On the top of the pane, next to the New query 1 tab, select the + to add a new query tab.

  7. In the query pane, run the following query to view the activity date ingested into the workspace.

     AzureActivity
    

    Screenshot of the log query window with results returned for the Azure Activity query.

Next steps

In this quickstart, you enabled Microsoft Sentinel and installed a solution from the content hub. Then, you set up a data connector to start ingesting data into Microsoft Sentinel. You also verified that data is being ingested by viewing the data in the workspace.