Over the last couple of nights I've been playing with Azure Sentinel to see how useful it will be as a SIEM/Hunting platform. One of the fist things I wanted to do is onboard Sysmon data. Unfortunately the documentation isn't up to par yet and it took me a LOT of time and some help from Kevin Beaumont, @ashwinpatil and Maarten Goet to get this working. Thanks guys!

For instance the "Security and Audit" Solution has a SysmonEvent schema, this one is broken however. In order to save you the same struggle I'll give a brief outline here.

Onboarding data

First of all you'll need to connect machines, this is relatively straight forward. Then you need to start ingesting some data;

go to “Getting started” and click connect on step 1

configure the Security Events

select "All Events" and click Update at the bottom

Now it is ready to start ingesting events, to configure which ones go to "Workspace Settings" and then to "Advanced Settings". Now start adding the Data sources you require.