Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Sentinel onboarding

How to onboard Microsoft Sentinel — workspace setup, data connectors, and starting analytic rules.

Microsoft Sentinel is Microsoft's cloud-native SIEM, and for organisations using Microsoft 365 it's increasingly the right SOC platform. Standing up Sentinel for the first time has a learning curve, but the foundational onboarding follows a predictable sequence.

Prerequisites

Before starting:

  • Azure subscription — Sentinel runs as an Azure resource backed by Log Analytics workspace.
  • Log Analytics workspace — Sentinel sits on top of one.
  • Tenant admin or Global Reader access for connecting Microsoft 365 sources.
  • Decision on data residency — workspace region selection.
  • Initial budget — Sentinel bills by ingested data volume.

Workspace setup

  1. Create a Log Analytics workspace in Azure, in your chosen region.
  2. Enable Microsoft Sentinel on that workspace.
  3. Configure access — analyst roles for the SOC team, admin roles for setup.
  4. Set up data residency appropriate to your regulatory requirements.

Connecting data sources

Sentinel's value comes from the data it ingests. Connect sources in priority order:

Microsoft 365 sources (typically free)

  • Microsoft 365 Defender — XDR alerts and raw events.
  • Microsoft 365 audit logs — Office 365 activity.
  • Microsoft Entra ID — sign-in logs, audit logs.
  • Microsoft Defender for Cloud — Azure security signals.

Most Microsoft sources are free to ingest, making them the natural starting point.

Third-party sources (billable)

  • Firewall logs — Palo Alto, Cisco, Check Point, Fortinet via Syslog or specific connectors.
  • Cloud platforms — AWS, GCP for cross-cloud security visibility.
  • Custom applications — via Logic Apps, Function Apps, or the Sentinel REST API.
  • Threat intelligence — TAXII feeds.

Connect what's high-value first; expand over time as budget allows.

Initial analytic rules

Sentinel ships hundreds of analytic rules in the content hub. For initial deployment:

  1. Browse the content hub for Microsoft 365 and Defender solutions.
  2. Install the relevant solutions — they include rules, workbooks, playbooks.
  3. Enable selected rules — start with high-fidelity, low-false-positive rules.
  4. Tune over weeks — adjust thresholds, suppress known-good patterns.
  5. Add custom rules as your SOC matures.

Don't try to enable everything on day one — you'll drown in alerts. Start narrow; expand as you tune.

Workbooks and dashboards

Sentinel workbooks are interactive dashboards. The content hub provides pre-built workbooks for:

  • Microsoft 365 Defender — incident overview, threat trends.
  • Entra ID — sign-in patterns, anomalies.
  • Network traffic — for connected firewalls.
  • Cloud security posture — for Defender for Cloud.

Pin the relevant ones to the workspace home for daily visibility.

Playbooks (SOAR)

Sentinel playbooks are Logic Apps that automate responses. Pre-built playbooks include:

  • Block sender in Exchange Online for confirmed phishing.
  • Isolate device via Defender for Endpoint.
  • Disable account in Entra ID.
  • Notify team via Teams.
  • Create ServiceNow incident for case management.

Configure playbooks with care — automated response to false positives causes real damage.

Cost management

Sentinel bills by ingested GB per day:

  • Microsoft 365 sources are typically free (where applicable).
  • Other sources are billable; commitment tiers reduce per-GB cost.
  • Retention beyond 90 days incurs additional cost.

Monitor ingestion volume in the workspace's Usage and estimated costs dashboard. Surprise bills from sudden ingestion spikes are common; alerting on volume thresholds catches them.

Unified Defender + Sentinel portal

Sentinel now integrates into the Defender XDR portal at security.microsoft.com. Analysts work in a unified surface — Defender's first-party signals plus Sentinel's broader telemetry — without switching consoles. Same KQL hunting; same incident model; same response actions.

For organisations already using Defender XDR, the integration makes Sentinel onboarding feel like extending what's already there rather than learning a separate tool.

Operational considerations

  • Designate Sentinel ownership — a named team or person.
  • Define analyst tier model — who handles what severity.
  • Establish response time targets — SLA for critical / high / medium / low.
  • Document the runbook — what to do when each kind of alert fires.
  • Continuous improvement — quarterly review of detections and tuning.

For Microsoft 365 customers building a serious SOC capability, Sentinel is increasingly the standard platform. The initial setup is moderate; the value compounds as more sources are connected and the team gains KQL fluency.