June 8, 2023January 15, 2024 Microsoft Sentinel All-in-One v2 What is Microsoft Sentinel? Table of Contents Update Jan 15th, 2024:There’s a good Microsoft Sentinel-All-One deployment guide available on Youtube made by Peter Rising. Microsoft Sentinel is a cloud-native SIEM(security information and event management) system that a security operations team can use to:Get security insights across the enterprise by collecting data from virtually any source.Detect and investigate threats quickly by using built-in machine learning and Microsoft threat intelligence.Automate threat responses by using playbooks and by integrating Azure Logic Apps.Unlike with traditional SIEM solutions, you don’t need to install any servers either on-premises or in the cloud to run Microsoft Sentinel. Microsoft Sentinel is a service that you deploy in Azure. You can get up and running with Sentinel in just a few minutes in the Azure portal.Microsoft Sentinel is tightly integrated with other cloud services. Not only can you quickly ingest logs, but you can also use other cloud services natively (for example, authorization and automation).Microsoft Sentinel helps you enable end-to-end security operations including collection, detection, investigation, and response: What is Microsoft Sentinel All-in-One setup? Microsoft Sentinel All-in-One is aimed at helping customers and partners quickly set up a full-fledged Microsoft Sentinel environment that is ready to use by customers speeding up deployment and initial configuration tasks in few clicks, saving time and simplifying Microsoft Sentinel setup.There are two versions of this All-in-One setup. This article describes version 2. Version 1 is found from here.NOTE This All-in-One-Setup is in the PUBLIC PREVIEW at the moment. What do you get when you deploy All-in-One Solution? Solution:Creates resource groupCreates Log Analytics workspaceEnables Microsoft Sentinel on top of the workspaceSets workspace retention, daily cap and commitment tiers if desiredEnables UEBA with the relevant identity providers (AAD and/or AD)Enables health diagnostics for Analytics Rules, Data Connectors and Automation RulesInstalls Content Hub solutions from a predefined list (list are shown in Content Hub section)Enables Data Connectors from a predefined list (list are shown in Data Connectors section)Enables analytics rules (Scheduled and NRT) included in the selected Content Hub solutionsEnables analytics rules (Scheduled and NRT) that use any of the selected Data connectors Let's get started The only thing you need to start using Microsoft Sentinel All-in-One, is an Azure Subscription and an account with permissions to deploy Microsoft Sentinel. Higher privileges might be required if you wish to enable UEBA and some of the supported connectors. You can find details about the required permissions here.You can find this new version from here or press the button below to deploy the solution: Basic information After clicking the button above the custom deployment screen opens in Azure Portal: Pricing tier for Log Analytics is found here and for Sentinel here. Next step is the Settings. Settings If you enable Entity Behavior Analytics you can choose the Identity Providers:After pressing Next you’ll see the Content Hub Solutions. Content Hub Solutions In this tab you can select solutions which you want to install to your Sentinel environment. Microsoft Content Hub Solutions You can select the following Microsoft solutions to be installed:Azure Active DirectoryAzure ActivityDynamics 365 CEMicrosoft 365Microsoft Defender for CloudMicrosoft Defender for EndpointMicrosoft Defender for IOTMicrosoft Insider Risk ManagementMicrosoft Power BIMicrosoft ProjectMicrosoft TeamsThreat Intelligence Essentials Content Hub Solutions You can select the following Essential solutions to be installed:Attacker Tools Threat ProtectionCloud Identity Threat ProtectionCloud Service Threat ProtectionEndpoint Threat ProtectionNetwork Session EssentialsNetwork Threat ProtectionSecurity Threat EssentialsSOAR EssentialsSOC HandbookSOC Process FrameworkUEBA Essentials Trainings and Tutorials Content Hub Solutions You can select the following solutions to be installed:KQL TrainingTraining Lab In the next tab you can choose the Data connectors. Data Connectors You can select the following Data Connectors:Azure Active DirectoryAzure Active Directory Identity ProtectionAzure ActivityDynamics 365Microsoft 365 DefenderMicrosoft Defender for CloudMicrosoft Insider Risk ManagementMicrosoft Power BIMicrosoft ProjectOffice 365Threat Intelligence Platforms NOTE. If you select Azure Active Directory Data Connector you can also select which AAD log types you enable: Next Tab – Analytic rules. Analytics rules Last step is to review and press create button.The deployment creation time depends how many selections you have made previously. Conclusion I think this is an easy way to start using Microsoft Sentinel if you don’t have knowledge about it and what you can actually do with it. When I first try to use Sentinel it would be nice if I had had this kind of solution then. The custom solutions is well guided and you can always know what you are doing. I wrote those solutions, connectors basicly only with a title but the deployment shows what those solutions actually mean. You can have 31 days trial when you deploy Sentinel-All-In-One solution but data ingestion amount are FREE only 10 GB/day for both Microsoft Sentinel and Log Analytics workspace. It feels and looks like a real Sentinel so start using and learning it!