Sign in Subscribe

How to create Microsoft Sentinel

Last updated on 
How to create Microsoft Sentinel

How to create your first Microsoft Sentinel instance!

Whether you are an IT Pro or starting your journey in cybersecurity, you may end up creating a Sentinel instance as a lab to test the waters, and it's actually easy to do. Microsoft did a really good job keeping this process as simple as they could.

Wait, that does not sound like Microsoft. Does it?

💡
Creating a Microsoft Sentinel instance can be done for free!

As with all types of onboarding and creations, it will require a set of prerequisites before you can start your deployment.

  • Active subscription in Azure, you can get it here
  • Contributor level on a subscription level (this is required to create resource groups). To use Sentinel, you can go with Sentinel Contributor or Sentinel Reader
  • Keyboard & Mouse (ideally both)

We can now use them to open portal.azure.com and search for Resource groups

Click on create and fill it up with all the nice details. Remember to select the right region so Microsoft know where to point the satellite.

💡
Choose a region closest to where most of your users or resources are located to minimise data ingestion latency. Also, be mindful of data residency requirements; some regulations require that your security data stay within a specific geographic boundary (e.g., the European Union).

Wohoo! You now have a resource group ready (obviously, click on "create" first)

The next step is to create a Log Analytics Workspace. This is something you are going to hear about a lot in future chapters and in general when working with Microsoft Sentinel.

Log Analytic Workspace is essentially your horizontally scalable data platform; it's architected for the ingestion, aggregation, and persistence of voluminous telemetry streams from disparate, heterogeneous sources. It functions as a delineated administrative boundary and a multi tenant data sink. It will, of course, leverage a schema on a read tabular structure underpinned by the Kusto data exploration service.

Yes - so as you already know, it's just a giant, magical toy box for all of your LEGOs, red ones, blue ones and even green ones! Every piece is a log that computers and apps create every second. Now, you want to find something special, you ask the toy box a magic question, like "Hey box, can you please find all of my little blue bricks that have four dots?" Asking that special question is like using a KQL (Kusto Query Language). The box then listens, and poof! Nothing comes up. After all, you are not collecting any logs yet, because your manager told you not to waste any money on this project. So you found this article, which gave you a false sense of hope that you would learn something useful.

Anyway..

Let's search for Log Analytics Workspace first in portal.azure.com and click on it. From there, navigate to Create.

Choose the previously created resource group, give it a nice name and select the region once again (keep the consistency for satellite!)

This is how it should look (you now remember to click Create, right?)

To the last step!

We can now create a Microsoft Sentinel instance, again in the Azure portal, search for Microsoft Sentinel and click create. Select your workspace and click on Add.

💡
Enabling Microsoft Sentinel and ingesting data will incur costs on your Azure subscription. Be sure to monitor your usage in the Log Analytics Workspace.

You've made it! The Sentinel instance is now created, all by you. You are the best, you are strong and independent, and the future is bright.

Don't worry about the costs of it, you have 30 days of trial where you can use up to 10GB/day. That's a sweet deal to learn everything that Sentinel has to offer.

Read next! - https://www.itprofessor.cloud/sentinel-data-connectors-guide/

Consent Preferences