Deploy Azure Sentinel With ARM Template

In this blog post, we will learn how to deploy Azure Sentinel with ARM template and Azure CLI.

About Azure Sentinel

Azure Sentinel is a cloud-based Security Information and event management (SIEM) system that is powered by azure Log Analytics.

The core components of Sentinel are:

  • Data Connectors – These are built-in connectors that allow us to connect to data sources like Syslog server, Azure AD and Microsoft 365.
  • Log retention – Capability to store logs for short and long time periods.
  • Workbooks – This is where we can create dashboards with all the data we get from the connectors.
  • Alers, notification and investigations – Manage Security incidents.
  • Automation – Automation of response to Security incidents.


To deploy Sentinel, I will use an ARM template file and a parameter file. The files for the deployment are in our GitHub repository below:

To deploy the ARM template I will use Azure CLI using the following commands. In the commands below I’m creating a resource group which you don’t have to create if you are using an existing one.

The template will create a new Log Analytics resource to use for Sentinel.

# Login to Azure
az login
#Set Subscription
az account set --subscription "name of subscription"
# Create resource group 
az group create   --name  "Sentinel" --location "West US"
# Deploy template 
az deployment group create --name deploysentinel --resource-group sentinel --template-file azuredeploy.json --parameters azuredeploy.parameters.json --verbose