Try this first
- 1Create a Log Analytics workspace in Azure in the same region as your tenant. Enable Sentinel on it. Expect 5 to 10 euros of startup cost in month one before data flows in.
- 2Connect the free sources: Entra sign-in and audit logs, Office 365 (Exchange, SharePoint, Teams audit), Microsoft Defender XDR. These ingest free if you hold M365 E5 or equivalent licenses.
- 3Do not turn everything on. Defender for Endpoint advanced hunting can push thousands of events per minute. Start with alerts only, not raw events, or the Log Analytics bill takes off.
- 4Enable a handful of built-in analytics rules: Sign-in from anonymous IP, Mass download by user, Brute force activity. Microsoft ships templates, you do not write from zero.
- 5Set a budget alert on the workspace itself in Azure Cost Management. 50 euros per person per month is realistic without heavy raw logs. Above that, check what you accidentally enabled.
When to bring us in
If you want servers, firewall, or Linux systems in Sentinel too, plan a dedicated day or hire help for the connectors. Custom log sources are where Sentinel projects derail, not the Microsoft sources.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.