The project was made to help upcoming individuals wanting to get hands on experience with setting up & using SIEM. This project includes how to enable & install data connectors, building out a detection rule using KQL, verifying logs are ingesting into Sentinel.

To get started, feel free to go ahead and sign up for a free trial for Azure & set the account up. Don't worry, $200 will apply for 30 days & once per customer.

1. You will need to create a resource group & a log analytics workspace. You can simply search for these at the top on the search bar & type Resource Groups & Log Analytics Workspace
2. Once you've built both of them, you can make the analytics workspace which Sentinel will quote on quote link itself to. The page should look like this:
3. Now you can search for Microsoft Sentinel & simply select the new workspace you've created & your page should look similar to this one:
4. But.. Jack, I've loaded Sentinel & there's nothing here.. that is because we will need to set up data connectors to ingest data. Your page should look something like this.
5. Visit the content hub on the left side & you can see all the avaliable connectors. Note in this tutorial; we're only using the free ones. Simply pick the ones you are wanting & press install & go make a cup of tea, coffee or your favourite drink.
6. Whilst we're waiting on those to install, we want to ingest some logs from our very first device (woohoo!) so i've simply chosen to pick a Windows 10 machine & ingest this data into Sentinel. (yes, i've exposed the device to the public internet, but that's to get some failed RDP attempts..)
7. Once that is all set up, go back to Content Hub & install the Windows Security Events connector. In this tutorial, we'll be using the Events via AMA as the legacy one is being phased out by Microsoft. Once that is all installed, we will need to set up a data collection rule (DCR) to ingest this into our Sentinel workspace. Your page should look something like this:
8. Select the VM you are wanting to ingest data into Sentinel, for us - we only have one so should look like this:
9. Give the collection rule a few moments to kick into gear & you should recieve data shortly. For example to check, go to logs & simply use the KQL syntax SecurityEvents to see if you are receiving Windows Security Event Logs. This is how mine looks:
10. Let's say now you want to turn this query into a detection rule, simply follow the following steps. Simply press new Alert Rule & new scheduled rule. Your page should look like this: Name the query whatever you'd like - for example, I named mine Successful Local Logins.
11. After a moment & you've configured the rule, give it a moment to kick in and it should appear in your analytics rule.
12. After a brief wait, your incident queue should have 1 alert for successful local logins to your VM you created earlier.

And voila! You've set up your very first Sentinel instance! I hope you found this useful!