Azure Sentinel - An Introduction

Enabling Azure Sentinel

Azure Sentinel is available in Azure Portal, and to enable it, you need a Log Analytics workspace. A Log Analytics workspace provides:

  • A geographic location for data storage.

  • Data isolation by granting different users access rights following the Log Analytics’ recommended design strategies for workspaces; these recommendations can be found at

  • A scope for configuration of settings, such as pricing tier, retention, and data capping.

Although Azure Sentinel supports multiple workspaces for some scenarios, it is recommended that you use a centralized workspace because alert rules and investigations do not function across workspaces.

The following steps assume that you don’t have a workspace and that you will create one as part of the Azure Sentinel deployment:

  1. Open Azure Portal and sign in with a user who has contributor privileges in the subscription in which the Azure Sentinel workspace resides.

  2. Under All services, type Sentinel and click Azure Sentinel, as shown in Figure 2-2.

    FIGURE 2-2

    FIGURE 2-2 Accessing Azure Sentinel in Azure Portal

  3. When Azure Sentinel launches for the first time, there is no workspace associated to it; the initial blade will look similar to Figure 2-3.

    FIGURE 2-3

    FIGURE 2-3 Azure Sentinel workspace selection page

  4. At this point, you can either click the Add button or click the Connect Workspace button. Both options will lead you to the Choose a workspace to add to azure sentinel page, as shown in Figure 2-4.

    FIGURE 2-4

    FIGURE 2-4 Adding a new workspace to Azure Sentinel

  5. Click the Create a new workspace option; the Log analytics workspace page appears, as shown in Figure 2-5.

    FIGURE 2-5

    FIGURE 2-5 Creating a new workspace to be used by Azure Sentinel

  6. In the Log Analytics Workspace field, type a name for the workspace.

  7. In the Subscription field, select the subscription that you want to use.

  8. From the Resource group drop-down menu, select the resource group you want to use.

  9. From the Location drop-down menu, select the location where the workspace will reside.

  10. For the Pricing tier, select Per GB.

  11. After completing those fields, click the OK button.

  12. On the Choose a workspace to add to Azure Sentinel page, select the workspace that you just created and click the Add Azure Sentinel button; the initial Azure Sentinel dashboard appears, as shown in Figure 2-6.


FIGURE 2-6 Initial Azure Sentinel page

Now that you have your workspace configured, you are ready to start ingesting data from different sources. We’ll cover that in the next section.