docs: link Installation Guide in README

Author: ws-mpiglas

integrations/sentinel/data_connector/README.md

@@ -1,12 +1,33 @@
 # Sentinel Connector with Azure Function
 
-## Requirements
+Sentinel Connector allows ingesting WithSecure Security Events into Microsoft Sentinel Logs
+Workspace. Connector periodically polls Security Events from Elements backends and forwards 
+it to Azure cloud. 
+
+![WithSecure Security Events in Elements Security Center](docs/images/security_events_list_ok.png)
+
+Sentinel administrator can use ingested events to create Workbooks, 
+Playbooks and use other Sentinel features.
+
+![Security Events in Sentinel](docs/images/security_events_logs.png)
+
+## Installation
+
+Repository provides packages that help install Connector in Azure cloud. **[Installation Guide](docs/installation_guide.md)** 
+contains step-by-step installation procedure that will help you start ingesting WithSecure 
+Security Events.
+
+Contact [WithSecure support](https://www.withsecure.com/en/support) if you need more detail or help with installation.
+
+## Development
+
+### Requirements
 
 - Python 3.10.x
 - Poetry (https://python-poetry.org/)
 - Azure CLI (https://learn.microsoft.com/en-us/cli/azure/)
 
-## Project structure 
+### Project structure 
 
 - `app/function_app.py` - entry point for Azure Function
 - `app/lib/` - connector implementation responsible for reading data from Elements API and
@@ -17,48 +38,6 @@
 - `poetry.toml` - poetry configuration
 - `pyproject.toml` - project configuration (dependencies, additional tools, scripts, etc)
 
-## Installation in Azure Cloud
-
-Connector installation has following steps:
-
-1. Create Elements API credentials
-2. Creating Azure Entra application.
-3. Deploying Azure resources.
-4. Preparing installation package.
-5. Package installation.
-
-Log Analytics Workspace is not managed with provided deployment templates. It can be created
-manually in Azure Portal or from command line. All resources must be deployed in the same
-resource group where Log Analytics Workspace is created. In next paragraphs this group is  
-referenced as `$resource_group`.
-
-Installation requires working Azure CLI. Run `az version` to verify if tool is available.
-
-### Create Elements API credentials
-
-Follow user guide to create Elements API credentials. Save credentials in safe place.
-
-### Create Azure Entra application
-
-Create new [Entra Application](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-microsoft-entra-application)
-   and credentials. Save secret key in safe place.
-
-### Deploying connector
-
-In this step all resources that are required by Connector are deployed and linked with 
-existing Log Analytics Workspace and Entra Application.
-
-1. Adjust file `deploy/connector_app_parameters.json`. Set required values:
- - `workspaceName` - name of **existing** Log Analytics Workspace,
- - `entraObjectId` - principal id of Entra Application. Can be found in Entra Application,
-    under link `Managed application in local directory` in field `Object ID`,
- - `elementsApiClientId` - client id from the WithSecure Elements Portal,
- - `elementsApiClientSecret` - client secret from WithSecure Elements Portal,
- - `entraTenantId`- value of `Directory (client) ID` property in Entra Application management console, 
- - `entraClientId`- value of `Application (client) ID` property in Entra Application management console,
- - `entraClientSecret` - secret key from Application credentials.
- 
-2. Execute command `az deployment group create --name ConnectorApp --resource-group $resource_group --template-file deploy/azuredeploy_connector_app.json --parameters deploy/connector_app_parameters.json` 
 
 ### Building installation package
 
@@ -78,8 +57,6 @@ existing Log Analytics Workspace and Entra Application.
    date.
 3. Wait until new events arrive in table `WsSecurityEvents_CL`.
 
-## Development
-
 ### Testing
 
 1. Tests are kept in directory `tests/`. To execute whole suite run command `poetry run pytest`.
@@ -112,25 +89,3 @@ To start function in emulator it needs to be appended to Azure Functions. To do
 
 To learn more visit:
 [Quickstart: Create a function in Azure with Python using VS Code](https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-python?pivots=python-mode-decorators)
-
-
-## Troubleshooting
-
-**Security Events are missing**
-
-1. Open invocation logs in Azure Function console.
-2. Check if most recent logs contains entry starting with `Execution error`.
-3. If there is no error it means that function works as expected. However in Log Analytics 
-   workspace new events might appear with bigger delay.
-4. Check if most recent logs contains entry starting with `Found 0 events since $date`.
-5. Check security events in Elements Portal. If all events are older that `$date` then
-   connector works as expected.
-6. Otherwise find transaction id (`X-Transaction`) from last request to Elements API and 
-   contact with support team.
-   
-**Function handler is not visible in functions list**
-
-If `upload_security_events` function is missing on list it might indicate that Azure couldn't 
-initialize it. It might be caused by missing dependencies, error in module initialization 
-or wrong runtime used to build package. There is no easy way to find reason why Azure couldn't 
-initialize function. The only method is `trial and error`.

integrations/sentinel/data_connector/docs/installation_guide.md

@@ -136,7 +136,7 @@ from file `azuredeploy_connector_app.json` deploys all required resources:
 Go to resource group with Sentinel solution. After successful deployment it should contain 
 items similar to ones from screenshot below.
 
-![Resource group](images/resource_group_after_ok.png)
+![Resource group](images/resources_group_after_ok.png)
 
 After deployment connector starts polling Security Events from Elements backend. Every
 minute reads most recent events and push to table `WsSecurityEvents_CL` in Log Analytics