You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/migration-qradar-detection-rules.md
+10-14Lines changed: 10 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,18 +1,18 @@
1
1
---
2
2
title: Migrate QRadar detection rules to Microsoft Sentinel | Microsoft Docs
3
-
description: Identify, compare, and migrate your QRadar detection rules to Microsoft Sentinel analytics rules using Content Hub solutions.
3
+
description: Identify, compare, and migrate your QRadar detection rules to Microsoft Sentinel analytics rules.
4
4
author: cwatson-cat
5
5
ms.author: cwatson
6
6
ms.topic: how-to
7
7
ms.date: 07/03/2025
8
8
9
-
#Customer intent: As a security engineer, I want to migrate QRadar detection rules to Microsoft Sentinel so that analysts can leverage machine learning analytics and content from Content Hub solutions for more efficient threat detection and incident response.
9
+
#Customer intent: As a security engineer, I want to migrate QRadar detection rules to Microsoft Sentinel so that analysts can leverage machine learning analytics for more efficient threat detection and incident response.
10
10
11
11
---
12
12
13
13
# Migrate QRadar detection rules to Microsoft Sentinel
14
14
15
-
This article describes how to identify, compare, and migrate your QRadar detection rules to Microsoft Sentinel analytics rules available through Content Hub solutions.
15
+
This article describes how to identify, compare, and migrate your QRadar detection rules to Microsoft Sentinel built-in rules.
16
16
17
17
## Identify and migrate rules
18
18
@@ -23,7 +23,7 @@ Microsoft Sentinel uses machine learning analytics to create high-fidelity and a
23
23
- Check that you understand the [rule terminology](#compare-rule-terminology).
24
24
- Review any rules that haven't triggered any alerts in the past 6-12 months, and determine whether they're still relevant.
25
25
- Eliminate low-level threats or alerts that you routinely ignore.
26
-
- Use existing functionality available through Content Hub solutions. Browse the [Content Hub](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog) to find solutions that contain analytics rule templates addressing your current use cases. Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it's likely that some of your existing detections won't be required anymore.
26
+
- Use existing functionality and check whether Microsoft Sentinel’s [built-in analytics rules](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) might address your current use cases. Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it’s likely that some of your existing detections won’t be required anymore.
27
27
- Confirm connected data sources and review your data connection methods. Revisit data collection conversations to ensure data depth and breadth across the use cases you plan to detect.
28
28
- Explore community resources such as the [SOC Prime Threat Detection Marketplace](https://my.socprime.com/platform-overview/) to check whether your rules are available.
29
29
- Consider whether an online query converter such as Uncoder.io might work for your rules.
@@ -41,19 +41,16 @@ Learn more about [best practices for migrating detection rules](https://techcomm
41
41
42
42
1.**Confirm that you have any required data sources connected,** and review your data connection methods.
43
43
44
-
1. Verify whether your detections are available through Content Hub solutions in Microsoft Sentinel:
44
+
1. Verify whether your detections are available as built in templates in the Content Hub:
45
45
46
-
-**If suitable analytics rule templates are available in Content Hub solutions**, install the relevant solutions and use the templates to create rules for your workspace.
46
+
-**If the built in rules are sufficient**, install the relevant solutions and use the templates to create rules for your workspace.
47
47
48
48
1. In Microsoft Sentinel, go to **Content management > Content hub**.
49
-
2. Search for and install solutions that contain analytics rules relevant to your security scenarios.
50
-
3. After installing solutions, go to **Configuration > Analytics > Rule templates** tab.
51
-
4. Filter by solution name to find the templates from your installed solutions.
52
-
5. Create and configure each relevant analytics rule from the templates.
49
+
1. Search for and install the relevant analytics rule.
53
50
54
51
For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md) and [Create scheduled analytics rules from templates](create-analytics-rule-from-template.md).
55
52
56
-
-**If you have detections that aren't covered by Content Hub solutions**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
53
+
-**If you have detections that aren't covered by the built in rules available in theContent Hub**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
57
54
58
55
Identify the trigger condition and rule action, and then construct and review your KQL query.
59
56
@@ -63,7 +60,7 @@ Learn more about [best practices for migrating detection rules](https://techcomm
63
60
64
61
1.**Identify any attributes, fields, or entities** in your data that you want to use in your rules.
65
62
66
-
1.**Identify your rule criteria and logic**. At this stage, you may want to examine analytics rule templates from Content Hub solutions as samples for how to construct your KQL queries.
63
+
1.**Identify your rule criteria and logic**. At this stage, you may want to use rule templates as samples for how to construct your KQL queries as samples for how to construct your KQL queries.
67
64
68
65
Consider filters, correlation rules, active lists, reference sets, watchlists, detection anomalies, aggregations, and so on. You might use references provided by your legacy SIEM to understand [how to best map your query syntax](#map-and-compare-rule-samples).
69
66
@@ -90,11 +87,10 @@ This table helps you to clarify the concept of a rule in Microsoft Sentinel comp
90
87
|**Criteria**|Define in test condition |Define in KQL |
91
88
|**Trigger condition**|Define in rule |Threshold: Number of query results |
92
89
|**Action**|• Create offense<br>• Dispatch new event<br>• Add to reference set or data<br>• And more |• Create alert or incident<br>• Integrates with Logic Apps |
93
-
|**Rule location**|Built into product |Available through Content Hub solutions |
94
90
95
91
## Map and compare rule samples
96
92
97
-
Use these samples to compare and map rules from QRadar to Microsoft Sentinel in various scenarios. When creating custom rules in Microsoft Sentinel, consider first checking Content Hub for solutions that might contain similar rule templates.
93
+
Use these samples to compare and map rules from QRadar to Microsoft Sentinel in various scenarios.
0 commit comments