Introduction

Azure Sentinel helps you watch over your computer systems and networks to find problems or threats quickly. It collects data from many places and shows alerts so you can fix issues before they cause harm.

When you want to see all security alerts from your cloud and on-premises systems in one place.

When you need to investigate suspicious activities across multiple data sources easily.

When you want to automate responses to common security threats to save time.

When you want to use built-in tools to detect unusual behavior without building your own rules.

When you want to keep track of compliance and security reports for audits.

Commands

Terminal

az login

Expected OutputExpected

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCD1234 to authenticate. You have logged in. Now you can manage your Azure resources.

Create a resource group to hold your Azure Sentinel workspace and related resources.

Terminal

az group create --name example-sentinel-rg --location eastus

Expected OutputExpected

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-sentinel-rg", "location": "eastus", "name": "example-sentinel-rg", "properties": { "provisioningState": "Succeeded" }, "tags": {}, "type": "Microsoft.Resources/resourceGroups" }

→

--name - Specifies the name of the resource group.

→

--location - Specifies the Azure region where the group is created.

Create a Log Analytics workspace where Azure Sentinel will store and analyze security data.

Terminal

az monitor log-analytics workspace create --resource-group example-sentinel-rg --workspace-name example-law --location eastus

Expected OutputExpected

{ "customerId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "location": "eastus", "name": "example-law", "resourceGroup": "example-sentinel-rg", "sku": { "name": "PerGB2018" }, "type": "Microsoft.OperationalInsights/workspaces" }

→

--resource-group - Specifies the resource group for the workspace.

→

--workspace-name - Names the Log Analytics workspace.

→

--location - Sets the Azure region for the workspace.

Enable Azure Sentinel on the Log Analytics workspace to start collecting and analyzing security data.

Terminal

az sentinel workspace enable --resource-group example-sentinel-rg --workspace-name example-law

Expected OutputExpected

{ "properties": { "provisioningState": "Succeeded" }, "resourceGroup": "example-sentinel-rg", "workspaceName": "example-law" }

→

--resource-group - Specifies the resource group of the workspace.

→

--workspace-name - Specifies the workspace to enable Sentinel on.

List available data connectors to connect different data sources to Azure Sentinel for monitoring.

Terminal

az sentinel data-connector list --resource-group example-sentinel-rg --workspace-name example-law

Expected OutputExpected

[ { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-sentinel-rg/providers/Microsoft.OperationalInsights/workspaces/example-law/providers/Microsoft.SecurityInsights/dataConnectors/AzureActiveDirectory", "name": "AzureActiveDirectory", "kind": "AzureActiveDirectory", "properties": { "dataTypes": { "signInLogs": { "state": "Enabled" }, "auditLogs": { "state": "Enabled" } }, "connectorId": "AzureActiveDirectory" } } ]

→

--resource-group - Specifies the resource group of the workspace.

→

--workspace-name - Specifies the workspace to list connectors for.

Key Concept

If you remember nothing else from this pattern, remember: Azure Sentinel uses a Log Analytics workspace to collect and analyze security data from many sources in one place.

Common Mistakes

Trying to enable Azure Sentinel without first creating a Log Analytics workspace.

Azure Sentinel requires a Log Analytics workspace to store and analyze data, so enabling it without one fails.

Always create a Log Analytics workspace first, then enable Azure Sentinel on it.

Not logging into Azure CLI before running commands.

Without logging in, commands cannot authenticate and will fail with errors.

Run 'az login' and complete authentication before managing Azure resources.

Using inconsistent resource group or workspace names across commands.

Commands will fail if they reference resource groups or workspaces that do not exist or mismatch.

Use consistent names for resource groups and workspaces in all commands.

Summary

Create a resource group and a Log Analytics workspace to hold your security data.

Enable Azure Sentinel on the workspace to start monitoring.

List data connectors to integrate various data sources for security insights.