How to onboard your first Microsoft sentinel SIEM tool?

Security Monitoring

Featured image

Before jump over the onboarding of Microsoft Sentinel, let’s understand what MS Sentinel is?

Definition: Microsoft Sentinel is a cloud native SIEM(Security information and Event Management) and SOAR(Security orchestration,automation,and response) solution,which delivers intelligent security analytics and threat intelligence.

Why do we use it? To act as blue teaming as defensive security against attack detection,threat visibility,proactive hunting and threat response.

In this blog we’ll be considering a single tennat onboarding with a single workspace.


  1. Azure subscription
  2. Microsoft Entra ID / tennant ID
  3. Sentinel Contributor permission or owner premission at tennant level
  4. Log Analytics workspace

In this blog I’ll be assuming one have already configured Tennant ID and having a valid Azure subscription.

Onboarding steps:

  1. Log on to Azure portal
  2. Search and select for Log Analytics workspace Log ANAlytics
  3. Select + Create to create a new workspace LAWC
  4. Choose your subscription, select a Resource Group
  5. Enter a valid name for the Log Analytics Workspace
  6. Select a Region to store Logs .Make sure to consider GDPR rule is you are deploying for client img
  7. Select Review + create to validate the new workspace then click on create to deploy the workspace.
  8. Wait for a few seconds, after deployment is completed, click on go to resources. img

Now we have to deploy Microsoft Sentinel to the recently created Log Analytics workspace.

  1. Search and Select for MS sentinel in Azure portal search box. img
  2. Click on + Create img
  3. Select recently created workspace and click Add img
  4. Automatically 31-days free MS Sentinel trial will be added. img

Now Next step will be assiging a Microsoft Sentinel role to a user

  1. Go to the Resource Group of Log Analytics workspace
  2. Select Access control(IAM)
  3. Select Add and Add role assignment img
  4. In the search bar search and select Mirosoft Sentinel Contributor role and click next img
  5. Select the option user,group or service principal img
  6. Select + Select members and assign to role to the proper user
  7. click review and assign

Now let’s connect the data connector to the Sentinel.

  1. Jump over MS Sentinel and select content Hub blade from content management img
  2. Select Azure Activity Data connector and click on install img
  3. After successful installation, Installed connector blade will change to 1. img
  4. After sometime we can check Logs using “Hearbeat” KQL command.
  5. For Analytics rules creation , visit Analytics rule blade under configuration tab. img

Thanks for reading blog, keep learning Keep Troubleshooting.