Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestrator automated response (SOAR) providing you security analytics and threats intelligence from a single point.
During the preview, Azure Sentinel is free of charge. Final pricing will be announced at a later stage; data import from Office 365 is free.
To start using it and evaluate it, connect to https://aka.ms/microsoftazuresentinel with your Azure administrator account start the creation of Azure Sentinel Workspace
You can also search for Azure Sentinel from your Azure portal
You can then either connect to an existing Azure Log Analytic workspace or create a new one
NOTE the default workspaces created by Azure Security Center are not available and can not be used with Sentinel
Once Azure Sentinel is connected to the Log Analytic you can connect to your data sources – both from cloud services and on-premises system.
Select the data source from the available connectors – from Microsoft to Amazon Web Services, Fortinet or Cisco.
The configuration of each connector depends off course of the product/solution you are connecting to
If you are using an existing Log Analytics workspace you may already have some data imported. In this case the connector is showing Configure instead of Not Connected
If you select a connector already connected. you may go to the configuration to see if additional recommendations are available – for example my Azure Active Directory connector told me to install 2 additional dashboards: Azure AD Audit logs and Azure AD Sign-in logs
After you have connected your data sources you can start using the Overview, Dashboards or Queries (Hunting) to get security insights
You can then setup automated response using Notebooks or Playbooks
