5.3 Creating Your First Workspace

90 minutes · Module 5

Creating Your First Workspace

By the end of this subsection, you will have created a Log Analytics workspace, enabled Sentinel on it, and configured initial settings.

Step 1: Create the resource group

In the Azure portal, navigate to Resource Groups and create a new group:

Name: rg-sentinel-prod
Region: East US (or your chosen region from 5.2)
Tags: Environment: Production, Service: Security

Tags are not required but make cost tracking and access management easier as your Azure environment grows.

Step 2: Create the Log Analytics workspace

Navigate to Log Analytics workspaces and click Create:

Resource group: rg-sentinel-prod
Name: law-[yourcompany]-sentinel-eastus
Region: East US (must match the resource group region)
Pricing tier: Pay-as-you-go (default — commitment tiers covered in 5.5)

Click Review + Create, then Create. The workspace deploys in under a minute.

Step 3: Enable Microsoft Sentinel

Navigate to Microsoft Sentinel. Click Create. Select the workspace you just created. Click Add.

Sentinel is now enabled. The portal shows the Overview dashboard — currently empty because no data connectors are configured.

That is the entire deployment

Three steps: resource group, workspace, Sentinel. The infrastructure is ready. Everything that follows — data connectors, analytics rules, automation — is configuration on top of this foundation. Sentinel's value is not in the deployment; it is in what you build on it.

Step 4: Configure workspace retention

Default retention is 90 days for the interactive tier and 30 days for Basic logs. For most security operations, 90 days of interactive retention is sufficient for investigation. Long-term retention uses the Archive tier at significantly reduced cost.

Navigate to your Log Analytics workspace → Usage and estimated costs → Data Retention.

Retention setting	Default	Recommended	Why
Interactive retention	90 days	90 days	Covers most investigation lookback windows
Total retention (interactive + archive)	90 days	365 days	Compliance and long-tail investigation

90 days of interactive + 275 days of archive = 365 days total

Data older than 90 days moves to the Archive tier automatically. Archive data is searchable via search jobs and restore operations, but not via standard KQL queries. For most investigations, 90 days of interactive data is sufficient. The 365-day total retention covers annual compliance audits and long-running investigations.

Step 5: Apply a resource lock

Navigate to your Log Analytics workspace → Locks → Add.

Lock name: prevent-deletion
Lock type: CanNotDelete

This prevents accidental deletion of the workspace. A deleted workspace takes its data with it — recovery is limited to 14 days and only if the workspace was soft-deleted. The resource lock is cheap insurance.

Verification

Confirm your deployment:

1
2
3
4
// Run this in your Sentinel workspace → Logs
Heartbeat
| where TimeGenerated > ago(1h)
| summarize LastHeartbeat = max(TimeGenerated)

Expected Output

LastHeartbeat
2026-03-21T14:32:00Z

What to look for: A recent timestamp confirms the workspace is operational and receiving heartbeat data. If this returns no results, the workspace was just created and no agents or connectors have sent data yet — that is expected at this stage. The Heartbeat table populates once you connect data sources (subsections 5.6-5.7).

Check your understanding

1. Why apply a CanNotDelete resource lock to the workspace?

A deleted workspace takes all stored security data with it. Recovery is limited to 14 days. The lock prevents accidental deletion by anyone with Contributor or Owner access to the resource group.

Azure requires it for Sentinel

It improves query performance

Resource locks are a safety net. Any user with Contributor access to the resource group can delete resources. A CanNotDelete lock requires explicit lock removal before deletion — an extra step that prevents "oops" moments that cost you months of security data.

← 5.2 Workspace Architecture Decisions 5.4 Log Types: Analytics vs Basic vs Archive →