Cybersecurity

How to Set Up Microsoft Sentinel | Beginner Guide

Published 10 January 2026 · 8 min read

Microsoft Sentinel is a cloud-native SIEM and SOAR platform. It collects security logs from across your Microsoft 365 and Azure environment, runs analytics to detect threats, and lets you investigate from a single console.

Prerequisites and cost

⚠️
Sentinel has usage-based costs
Sentinel charges per GB of data ingested. Microsoft 365 data connectors are free for the first 90 days then billed. Estimate your daily log volume before enabling all connectors.

Create a Log Analytics workspace

Azure portal → Create a resource → Log Analytics workspace
  1. Choose subscription and resource group
  2. Name: sentinel-workspace-prod
  3. Region: UK South for UK organisations
  4. After creating, go to the workspace and click Microsoft Sentinel → Add Microsoft Sentinel

Connect M365 data sources

Sentinel → Content hub → install Microsoft 365 solution pack

Install the solution pack which includes connectors for Office 365, Entra ID, Microsoft 365 Defender, and Defender for Cloud Apps. Go to Data connectors, select each, and click Connect.

Enable analytics rules

Sentinel → Analytics → Rule templates
🔍
High-value rules to enable first
Microsoft Security - Defender for Office 365Creates Sentinel incidents from Defender alerts
Enable
Successful sign-in from IP with failed sign-insDetects credential spraying
Enable
Sign-in from IPs attempting disabled accounts
Enable
Multiple failed authentication from same IP
Enable

Frequently Asked Questions

Q: Is Microsoft Sentinel the same as Microsoft 365 Defender?

No. M365 Defender is the XDR platform for M365 workloads. Sentinel is a separate SIEM that ingests data from Defender and many other sources.

Q: How much does Sentinel cost?

Pricing is based on data ingestion, approximately £2.30/GB. Use the Sentinel cost estimator at azure.microsoft.com to estimate monthly cost.

Q: What is KQL?

KQL (Kusto Query Language) is the query language for Sentinel. You do not need it to get started - pre-built rules work without it. Learning KQL significantly increases what you can do for threat hunting.

Related Guides
-> Audit Sign-In Logs-> Defender for Endpoint-> Conditional Access
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages