Note: This repository is a community project and does not serve as official Microsoft documentation - feedback and comments are much appreciated. For official Azure Sentinel documentation, click here.
Overview
These brief instructions will help you get started quickly with Azure Sentinel - ie. a simple and typical deployment. For more advanced deployments, additional considerations may need to be made, refer to this techcommunity post for more.
1 - Creating a Workspace and Instance
| S/N | Step | Illustration |
|---|---|---|
| 1A | Navigate to portal.azure.com |
 |
| 1B | In the search bar, type Azure Sentinel |  |
| 1C | Click on Add |  |
| 1D | Create a new workspace |  |
| 1E | Specify the Subscription, Resource Group, Instance Name and Region. |  |
| 1F | Pay-as-you-go is the default pricing tier, you can switch to Capacity Reservation later if necessary, see here. |  |
| 1G | [optional] Specify tags if relevant. |  |
| 1H | Click Create after validation has passed. |  |
| 1I | Click Add once the new instance appears. |  |
2 - Enable Data Connectors
Tip: Refer to SOC in a Box for guidance on which Data Connectors to enable (based on data sources relevant to you).
| S/N | Step | Illustration |
|---|---|---|
| 2A | In the Azure Sentinel instance, navigate to Data Connectors. |
 |
| 2B | Search for the desired connector and click on Open Connector Page. |  |
| 2C | Follow the instructions, these differ for each data connector. |  |
| 2D | After the data connector has been successfully enabled, refresh the page. Depending on the data connector, once data starts flowing in you will see the following. |  |
3 - Enable Analytics Rules
Tip: Refer to SOC in a Box for guidance on which Analytics Rules to enable (based on data sources relevant to you).
| S/N | Step | Illustration |
|---|---|---|
| 3A | In the Azure Sentinel instance, navigate to Analytics Rules. Click on the Rule templates tab and search for the desired rule. Click on the rule and select Create rule. |
 |
| 3B | The template Analytics Rules are pre-populated, so if you do not wish to amend any parameter you can directly click onto Review and create. Otherwise, navigate to the relevant tabs to modify parameters accordingly. |  |
| 3C | Once validation is passed, click on Create. |  |