Skip to content

Commit 57a5511

Browse files
austinmccollumaustinmccollum
committed
update portal nav
1 parent 99a27cc commit 57a5511

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

articles/sentinel/siem-migration.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ Current capabilities:
6060

6161
## Start the SIEM migration experience
6262

63-
1. Find the SIEM migration experience in the Microsoft Sentinel in the [Azure portal](https://portal.azure.com) or the [Defender portal](https://security.microsoft.com/), under **Content management** > **Content hub**.
63+
1. Find the SIEM migration experience in Microsoft Sentinel from the [Azure portal](https://portal.azure.com) or the [Defender portal](https://security.microsoft.com/), under **Content management** > **Content hub**.
6464

6565
1. Select **SIEM Migration**.
6666

@@ -96,15 +96,15 @@ Current capabilities:
9696

9797
## Schema mapping
9898

99-
Once you match Splunk data source ingestion in Microsoft Sentinel, use **Schema mapping** to precisely define how the data types and fields in the analytics rule logic are mapped.
99+
Use **Schema mapping** to precisely define how the data types and fields in the analytics rule logic are mapped based on the extracted sources from the SPL queries to the Microsoft Sentinel tables.
100100

101101
### Data sources
102102

103103
Known sources such as Splunk CIM schemas and data models are automatically mapped to ASIM schemas when applicable. Other sources used in the Splunk detection must be manually mapped to Microsoft Sentinel or Log Analytics tables. Mapping schemas are hierarchical so Splunk sources map 1:1 with Microsoft Sentinel tables and the fields within those sources.
104104

105105
:::image type="content" source="media/siem-migration/schema-mapping-data-sources.png" alt-text="Screenshot showing the Schema mapping (preview) options for data sources." lightbox="media/siem-migration/schema-mapping-data-sources.png":::
106106

107-
Once the schema mapping is complete, any manual updates are reflected in the **Mapping Status** as "Manually mapped". The changes are taken into account in the next step when the rules are translated.
107+
Once the schema mapping is complete, any manual updates are reflected in the **Mapping Status** as "Manually mapped". The changes are taken into account in the next step when the rules are translated. The mapping is saved per workspace, so you don't have to repeat it.
108108

109109
### Lookups
110110

0 commit comments

Comments
 (0)