Azure – A new security capability is now available in preview: Azure Sentinel

Azure Sentinel is a cloud-based  security information event management (SIEM) and security orchestrator automated response (SOAR)  providing you security analytics and threats intelligence from a single point.

During the preview, Azure Sentinel is free of charge. Final pricing will be announced at a later stage; data import from Office 365 is free.

To start using it and evaluate it, connect to with your Azure administrator account start the creation of Azure Sentinel Workspace


You can also search for Azure Sentinel from your Azure portal


You can then either connect to an existing Azure Log Analytic workspace or create a new one

NOTE the default workspaces created by Azure Security Center are not available and can not be used with Sentinel


Once Azure Sentinel is connected to the Log Analytic you can connect to your data sources – both from cloud services and on-premises system.


Select the data source from the available connectors – from Microsoft to Amazon Web Services, Fortinet or Cisco.


The configuration of each connector depends off course of the product/solution you are connecting to

If you are using an existing Log Analytics workspace you may already have some data imported. In this case the connector is showing Configure instead of Not Connected


If you select a connector already connected. you may go to the configuration to see if additional recommendations are available – for example my Azure Active Directory connector told me to install 2 additional dashboards: Azure AD Audit logs and Azure AD Sign-in logs

After you have connected your data sources you can start using the Overview, Dashboards or Queries (Hunting) to get security insights


You can then setup automated response using Notebooks or Playbooks

Leave a Comment

Your email address will not be published. Required fields are marked *