You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#Customer intent: As a security operator, set up data connectors in one place so I can monitor and protect my environment.
10
10
---
@@ -32,7 +32,7 @@ Microsoft Sentinel comes with many data connectors for Microsoft products such a
32
32
33
33
-**Microsoft Sentinel is a paid service**. Review the [pricing options](https://go.microsoft.com/fwlink/?linkid=2104058) and the [Microsoft Sentinel pricing page](https://azure.microsoft.com/pricing/details/azure-sentinel/).
34
34
35
-
- Before deploying Microsoft Sentinel to a production environment, review the [pre-deployment activities and prerequisites for deploying Microsoft Sentinel](prerequisites.md).
35
+
- Before deploying Microsoft Sentinel to a production environment, review the [predeployment activities and prerequisites for deploying Microsoft Sentinel](prerequisites.md).
36
36
37
37
## Enable Microsoft Sentinel <aname="enable"></a>
38
38
@@ -50,48 +50,70 @@ To get started, add Microsoft Sentinel to an existing workspace or create a new
50
50
51
51
:::image type="content" source="media/quickstart-onboard/choose-workspace.png" alt-text="Screenshot of choosing a workspace while enabling Microsoft Sentinel.":::
52
52
53
-
- The default workspaces created by Microsoft Defender for Cloud are not shown in the list. You can't install Microsoft Sentinel on these workspaces.
53
+
- The default workspaces created by Microsoft Defender for Cloud aren't shown in the list. You can't install Microsoft Sentinel on these workspaces.
54
54
- Once deployed on a workspace, Microsoft Sentinel **doesn't currently support** moving that workspace to another resource group or subscription.
55
55
56
56
1. Select **Add Microsoft Sentinel**.
57
57
58
58
## Install a solution from the content hub
59
59
60
-
The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box (built-in) content including data connectors. For this quickstart, install the solution for Azure Activity.
60
+
The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors. For this quickstart, install the solution for Azure Activity.
61
61
62
62
1. In Microsoft Sentinel, select **Content hub**.
63
63
64
64
1. Find and select the **Azure Activity** solution.
65
65
66
-
1. Select **Install** and then **Create**.
67
-
1. On the **Basics** tab, select the **Resource group** and **Workspace** where Microsoft Sentinel is enabled.
68
-
1. Select **Review + create**.
66
+
1. On the toolbar at the top of the page, select **Install/Update**.
69
67
70
68
## Set up the data connector
71
69
72
70
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.
73
71
74
-
1. In the Azure portal, search for and select **Microsoft Sentinel**.
75
72
1. In Microsoft Sentinel, select **Data connectors**.
76
73
1. Search for and select the **Azure Activity** data connector.
77
74
1. In the details pane for the connector, select **Open connector page**.
78
75
1. Review the instructions to configure the connector.
1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, use the subscription and resource group that contains your Microsoft Sentinel instance.
77
+
1. On the **Basics** tab, set the **Scope** to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.
81
78
1. Select the **Parameters** tab.
82
79
1. Set the **Primary Log Analytics workspace**. This should be the workspace where Microsoft Sentinel is installed.
83
80
1. Select **Review + create** and **Create**.
84
81
85
-
After you set up your data connectors, your data starts streaming into Microsoft Sentinel and is ready for you to start working with. You can view the logs in the [built-in workbooks](get-visibility.md) and start building queries in Log Analytics to [investigate the data](investigate-cases.md).
82
+
## Generate activity data
86
83
87
-
Review the [data collection best practices](best-practices-data.md).
84
+
Let's generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.
85
+
86
+
1. In Microsoft Sentinel, select **Content hub**.
87
+
1. Find and select the **Azure Activity** solution.
88
+
1. From the right-hand side pane, select **Manage**.
89
+
1. Find and select the rule template **Suspicious Resource deployment**.
90
+
1. Select **Configuration**.
91
+
1. Select the rule and **Create rule**.
92
+
1. On the **General** tab, change the **Status** to enabled. Leave the rest of the default values.
93
+
1. Accept the defaults on the other tabs.
94
+
1. On the **Review and create** tab, select **Create**.
88
95
89
96
## View data ingested into Microsoft Sentinel
90
97
98
+
Now that you've enabled the Azure Activity data connector and generated some activity data let's view the activity data added to the workspace.
99
+
100
+
1. In Microsoft Sentinel, select **Data connectors**.
101
+
1. Search for and select the **Azure Activity** data connector.
102
+
1. In the details pane for the connector, select **Open connector page**.
103
+
1. Review the **Status** of the data connector. It should be **Connected**.
104
+
1. In the left-hand side pane above the chart, select **Go to log analytics**.
105
+
1. On the top of the pane, next to the **New query 1** tab, select the **+** to add a new query tab.
106
+
1. In the query pane, run the following query to view the activity date ingested into the workspace.
107
+
108
+
```kusto
109
+
AzureActivity
110
+
```
111
+
91
112
92
113
## Next steps
93
114
94
-
In this quickstart, you enabled Microsoft Sentinel and installed a solution from the content hub. Then, you set up a data connector to start ingesting data into Microsoft Sentinel.
115
+
In this quickstart, you enabled Microsoft Sentinel and installed a solution from the content hub. Then, you set up a data connector to start ingesting data into Microsoft Sentinel. You also verified that data is being ingested by viewing the data in the workspace.
116
+
95
117
Go to the next article to learn how to visualize the data you've collected by using the dashboards and workbooks.
0 commit comments