You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/quickstart-onboard.md
+61-40Lines changed: 61 additions & 40 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
---
2
2
title: 'Quickstart: Onboard to Microsoft Sentinel'
3
3
description: In this quickstart, you enable Microsoft Sentinel, and set up data connectors to monitor and protect your environment.
4
-
author: yelevin
5
-
ms.author: yelevin
4
+
author: batamig
5
+
ms.author: bagol
6
6
ms.topic: quickstart
7
-
ms.date: 06/18/2024
7
+
ms.date: 04/03/2025
8
8
ms.custom: references_regions, mode-other
9
9
#Customer intent: As a security operator, set up data connectors in one place so I can monitor and protect my environment.
10
10
@@ -63,6 +63,11 @@ To get started, add Microsoft Sentinel to an existing workspace or create a new
63
63
64
64
1. Select **Add**.
65
65
66
+
> [!TIP]
67
+
> We recommend onboarding your workspace to the Defender portal for a unified experience in managing security operations (SecOps) across both Microsoft Sentinel and other Microsoft security services.
68
+
>
69
+
> If you decide to onboard your workspace now, you can continue the procedures in this article from the Defender portal. For more information, see [Onboard Microsoft Sentinel to the Defender portal](/unified-secops-platform/microsoft-sentinel-onboard).
70
+
66
71
## Install a solution from the content hub
67
72
68
73
The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors. For this quickstart, install the solution for Azure Activity.
@@ -71,79 +76,95 @@ The content hub in Microsoft Sentinel is the centralized location to discover an
71
76
72
77
1. Find and select the **Azure Activity** solution.
73
78
74
-
:::image type="content" source="media/quickstart-onboard/content-hub-azure-activity.png" alt-text="Screenshot of the content hub with the solution for Azure Activity selected.":::
79
+
#### [Azure portal](#tab/azure-portal)
75
80
76
-
1. On the toolbar at the top of the page, select :::image type="icon" source="media/quickstart-onboard/install-update-button.png":::**Install/Update**.
81
+
:::image type="content" source="media/quickstart-onboard/content-hub-azure-activity.png" alt-text="Screenshot of the content hub in the Azure portal with the solution for Azure Activity selected.":::
77
82
78
-
## Set up the data connector
83
+
#### [Defender portal](#tab/defender-portal)
79
84
80
-
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.
81
-
82
-
1. In Microsoft Sentinel, select **Data connectors**.
85
+
:::image type="content" source="media/quickstart-onboard/content-hub-azure-activity-defender.png" alt-text="Screenshot of the content hub in the Defender portal with the solution for Azure Activity selected.":::
83
86
84
-
1. Search for and select the **Azure Activity** data connector.
87
+
---
85
88
86
-
1.In the details pane for the connector, select **Open connector page**.
89
+
1.On the solution details pane on the side, select **Install**.
87
90
88
-
1. Review the instructions to configure the connector.
1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.
91
+
## Set up the data connector
93
92
94
-
1. Select the **Parameters** tab.
93
+
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.
95
94
96
-
1.Set the **Primary Log Analytics workspace**. This should be the workspace where Microsoft Sentinel is installed.
95
+
1.In Microsoft Sentinel, select **Configuration** > **Data connectors** and search for and select the **Azure Activity** data connector.
97
96
98
-
1.Select **Review + create** and **Create**.
97
+
1.In the connector details pane, select **Open connector page**. Use the instructions on the **Azure Activity** connector page to set up the data connector.
Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.
101
+
1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.
103
102
104
-
1.In Microsoft Sentinel, select **Content hub**.
103
+
1.Select the **Parameters** tab, and set the **Primary Log Analytics workspace**. This should be the workspace where Microsoft Sentinel is installed.
105
104
106
-
1. Find and select the **Azure Activity**solution.
105
+
1. Select **Review + create**and **Create**.
107
106
108
-
1. From the right-hand side pane, select **Manage**.
107
+
## Generate activity data
109
108
110
-
1. Find and select the rule template **Suspicious Resource deployment**.
109
+
Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.
111
110
112
-
1.Select **Configuration**.
111
+
1.In Microsoft Sentinel, select **Content hub** and search for and select **Suspicious Resource deployment** rule template in the **Azure Activity** solution.
113
112
114
-
1.Select the rule and **Create rule**.
113
+
1.In the details pane, select **Create rule** to create a new rule using the **Analytics rule wizard**.
115
114
116
-
1.On the **General**tab, change the **Status** to enabled. Leave the rest of the default values.
115
+
1.In the **Analytics rule wizard - Create a new Scheduled rule**page, change the **Status** to **Enabled**.
117
116
118
-
1. Accept the defaults on the other tabs.
117
+
On this tab and all other tabs in the wizard, leave the default values as they are.
119
118
120
119
1. On the **Review and create** tab, select **Create**.
121
120
122
121
## View data ingested into Microsoft Sentinel
123
122
124
123
Now that you've enabled the Azure Activity data connector and generated some activity data let's view the activity data added to the workspace.
125
124
126
-
1. In Microsoft Sentinel, select **Data connectors**.
127
-
128
-
1. Search for and select the **Azure Activity** data connector.
125
+
1. In Microsoft Sentinel, select **Configuration** > **Data connectors** and search for and select the **Azure Activity** data connector.
129
126
130
-
1. In the details pane for the connector, select **Open connector page**.
127
+
1. In the connector details pane, select **Open connector page**.
131
128
132
129
1. Review the **Status** of the data connector. It should be **Connected**.
133
130
134
131
:::image type="content" source="media/quickstart-onboard/azure-activity-connected-status.png" alt-text="Screenshot of data connector for Azure Activity with the status showing as connected.":::
135
132
136
-
1. In the left-hand side pane above the chart, select **Go to log analytics**.
133
+
1. Select a tab to continue, depending on which portal you're using:
134
+
135
+
#### [Azure portal](#tab/azure-portal)
136
+
137
+
1. Select **Go to query** to open the **Logs** page in the Azure portal.
138
+
139
+
1. On the top of the pane, next to the **New query 1** tab, select the **+** to add a new query tab.
140
+
141
+
1. On the side, switch from **Simple mode** to **KQL mode**, and run the following query to view the activity date ingested into the workspace:
142
+
143
+
```kusto
144
+
AzureActivity
145
+
```
146
+
147
+
For example:
148
+
149
+
:::image type="content" source="media/quickstart-onboard/azure-activity-logs-query.png" alt-text="Screenshot of the AzureActivity query in the Logs page of the Azure portal.":::
150
+
151
+
#### [Defender portal](#tab/defender-portal)
152
+
153
+
1. Select **Go to log analytics** to open the **Advanced hunting** page.
154
+
155
+
1. On the top of the pane, next to the **New query** tab, select the **+** to add a new query tab.
156
+
157
+
1. Run the following query to view the activity date ingested into the workspace:
137
158
138
-
1. On the top of the pane, next to the **New query 1** tab, select the **+** to add a new query tab.
159
+
```kusto
160
+
AzureActivity
161
+
```
139
162
140
-
1. In the query pane, run the following query to view the activity date ingested into the workspace.
163
+
For example:
141
164
142
-
```kusto
143
-
AzureActivity
144
-
```
165
+
:::image type="content" source="media/quickstart-onboard/content-hub-azure-activity-defender.png" alt-text="Screenshot of the AzureActivity query in the Logs page of the Defender portal.":::
145
166
146
-
:::image type="content" source="media/quickstart-onboard/azure-activity-logs-query.png" alt-text="Screenshot of the log query window with results returned for the Azure Activity query.":::
0 commit comments