![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/search-product.png\")
<\/li>![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/choose-workspace.png\")
- The default workspaces created by Microsoft Defender for Cloud aren’t shown in the list. You can’t install Microsoft Sentinel on these workspaces.<\/li>
- Once deployed on a workspace, Microsoft Sentinel doesn’t currently support<\/strong> moving that workspace to another resource group or subscription.<\/li><\/ul><\/li>
- Select Add Microsoft Sentinel<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a><\/p>\n\n\n\n
Install a solution from the content hub<\/h2>\n\n\n\n
The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors. For this quickstart, install the solution for Azure Activity.<\/p>\n\n\n\n
- In Microsoft Sentinel, select Content hub<\/strong>.<\/li>
- Find and select the Azure Activity<\/strong> solution.
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/content-hub-azure-activity.png\")
<\/li>- On the toolbar at the top of the page, select
![](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/install-update-button.png\")
Install\/Update<\/strong>.<\/li><\/ol>\n\n\n\n<\/a><\/p>\n\n\n\n
Set up the data connector<\/h2>\n\n\n\n
Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel. For this quickstart, install the data connector to forward data for Azure Activity to Microsoft Sentinel.<\/p>\n\n\n\n
- In Microsoft Sentinel, select Data connectors<\/strong>.<\/li>
- Search for and select the Azure Activity<\/strong> data connector.<\/li>
- In the details pane for the connector, select Open connector page<\/strong>.<\/li>
- Review the instructions to configure the connector.<\/li>
- Select Launch Azure Policy Assignment Wizard<\/strong>.<\/li>
- On the Basics<\/strong> tab, set the Scope<\/strong> to the subscription and resource group that has activity to send to Microsoft Sentinel. For example, select the subscription that contains your Microsoft Sentinel instance.<\/li>
- Select the Parameters<\/strong> tab.<\/li>
- Set the Primary Log Analytics workspace<\/strong>. This should be the workspace where Microsoft Sentinel is installed.<\/li>
- Select Review + create<\/strong> and Create<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a><\/p>\n\n\n\n
Generate activity data<\/h2>\n\n\n\n
Let’s generate some activity data by enabling a rule that was included in the Azure Activity solution for Microsoft Sentinel. This step also shows you how to manage content in the content hub.<\/p>\n\n\n\n
- In Microsoft Sentinel, select Content hub<\/strong>.<\/li>
- Find and select the Azure Activity<\/strong> solution.<\/li>
- From the right-hand side pane, select Manage<\/strong>.<\/li>
- Find and select the rule template Suspicious Resource deployment<\/strong>.<\/li>
- Select Configuration<\/strong>.<\/li>
- Select the rule and Create rule<\/strong>.<\/li>
- On the General<\/strong> tab, change the Status<\/strong> to enabled. Leave the rest of the default values.<\/li>
- Accept the defaults on the other tabs.<\/li>
- On the Review and create<\/strong> tab, select Create<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a><\/p>\n\n\n\n
View data ingested into Microsoft Sentinel<\/h2>\n\n\n\n
Now that you’ve enabled the Azure Activity data connector and generated some activity data let’s view the activity data added to the workspace.<\/p>\n\n\n\n
- In Microsoft Sentinel, select Data connectors<\/strong>.<\/li>
- Search for and select the Azure Activity<\/strong> data connector.<\/li>
- In the details pane for the connector, select Open connector page<\/strong>.<\/li>
- Review the Status<\/strong> of the data connector. It should be Connected<\/strong>.
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/azure-activity-connected-status.png\")
<\/li>- In the left-hand side pane above the chart, select Go to log analytics<\/strong>.<\/li>
- On the top of the pane, next to the New query 1<\/strong> tab, select the +<\/strong> to add a new query tab.<\/li>
- In the query pane, run the following query to view the activity date ingested into the workspace.KustoCopy
AzureActivity <\/code>![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/media\/quickstart-onboard\/azure-activity-logs-query.png\")
<\/li><\/ol>\n\n\n\n<\/a><\/p>\n\n\n\n
Next steps<\/h2>\n\n\n\n
In this quickstart, you enabled Microsoft Sentinel and installed a solution from the content hub. Then, you set up a data connector to start ingesting data into Microsoft Sentinel. You also verified that data is being ingested by viewing the data in the workspace.<\/p>\n\n\n\n
- To visualize the data you’ve collected by using the dashboards and workbooks, see\u00a0Visualize collected data<\/a>.<\/li>
- To detect threats by using analytics rules, see\u00a0Tutorial: Detect threats by using analytics rules in Microsoft Sentinel<\/a>.<\/li><\/ul>\n\n\n\n
Ref: Quickstart: Onboard in Microsoft Sentinel | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
To get started, add Microsoft Sentinel to an existing workspace or create a new one. Sign in to the Azure portal. Search for and select Microsoft Sentinel. Select Add. Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,1526,10],"tags":[1727],"class_list":["post-4964","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft-defender","category-microsoft","tag-enable-microsoft-sentinel"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4964"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4964\/revisions"}],"predecessor-version":[{"id":4965,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4964\/revisions\/4965"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- To detect threats by using analytics rules, see\u00a0Tutorial: Detect threats by using analytics rules in Microsoft Sentinel<\/a>.<\/li><\/ul>\n\n\n\n
- Search for and select the Azure Activity<\/strong> data connector.<\/li>
- Find and select the Azure Activity<\/strong> solution.<\/li>
- Search for and select the Azure Activity<\/strong> data connector.<\/li>
- Find and select the Azure Activity<\/strong> solution.
- Select Add Microsoft Sentinel<\/strong>.<\/li><\/ol>\n\n\n\n