Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 01: Validate environment and add Microsoft Sentinel

Introduction

Before onboarding Microsoft Sentinel, verify that your core environment and resources created in Exercise 0 are active and properly configured. Then, add Microsoft Sentinel to the existing Log Analytics workspace.

Description

In this task, you’ll confirm the existence of the resource group, workspace, and virtual machine; verify onboarding to Microsoft Defender for Endpoint (MDE); and then attach Microsoft Sentinel to your Log Analytics workspace.

Success criteria

  • Resource group rg-sentinel-lab exists in Azure.
  • Log Analytics workspace law-sentinel-xdr-lab is active in East US 2.
  • VM vm-sentinel-lab appears under Defender for Endpoint > Devices.
  • Microsoft Sentinel is successfully added to the workspace.

Key steps:

  1. Verify that your core environment and resources created in Exercise 0 are active and properly configured.

    Expand here for detailed steps

    1. From the Azure Portal, search for and select Resource Groups.

    2. Confirm that the rg-sentinel-lab resource group exists.

    3. Open the resource group and ensure law-sentinel-xdr-lab is present and in the East US 2 region.

    4. Select the Windows VM and confirm it’s deployed and running.

      a11.png

  2. Verify Azure VM onboarding to Defender XDR.

    Expand here for detailed steps
    1. Open a new browser tab and go to https://security.microsoft.com.
    2. In the left menu, select Assets > Devices.
    3. Confirm that your Azure VM (vm-sentinel-lab) appears in the list.

    If Devices isn’t visible in the menu, go to https://security.microsoft.com/machines.

    a8.png

    Seeing the VM in the Defender portal confirms successful onboarding through Defender for Cloud.

    If the VM doesn’t appear immediately, allow several minutes for data to propagate from Defender for Cloud to Defender for Endpoint.

    If the VM is not onboarded into MDE after 20-30 minutes, restart the VM.

  3. Add Microsoft Sentinel to the workspace.

    Expand here for detailed steps
    1. In the Azure portal, search for and select Microsoft Sentinel.
    2. On the Microsoft Sentinel page, select + Create.
    3. On the Add Microsoft Sentinel to a workspace page, select your existing workspace law-sentinel-xdr-lab from the list.
    4. Select Add.

    a12.png

    Once Sentinel is active, it can receive alerts, incidents, and threat intelligence directly from Defender XDR.

  4. Configure Windows Security Event Collection using Sentinel AMA Connector (Content Hub).

    Expand here for detailed steps

    1. Open a new browser tab, and go to https://security.microsoft.com/.

      If necessary, sign in.

    2. On the left menu, select Microsoft Sentinel > Content Management > Content hub.

    3. In the search box, search for and select Windows security events.

      Exc1 - Task1- Step4c.png

    4. Select Install.
    5. Once the install completes, go to Data Connectors.
    6. Select Windows Security Events via AMA.

    7. Select Open Connector page.

      Exc1 - Task1- Step4g.png

    8. Select Create data collection rule.

      Exc1 - Task1- Step4h.png

    9. In the wizard, on the Basic page, enter the following and select Next: Resources >.

      Item Value
      Rule name DCR-SecurityEvents
      Subscription Choose your subscription
      Resource group rg-sentinel-lab

      Exc1 - Task1- Step4i.png

    10. On the Resources page, expand the subscription and select vm-sentinel-lab to associate the Windows VM with the Azure Monitor Agent.

      Exc1 - Task1- Step4j.png

    11. Select Next: Collect.

    12. Choose All Security Events and then select Next: Review + create >.

      Exc1 - Task1- Step4l.png

    13. Review the information and select Create.

      Exc1 - Task1- Step4m.png