You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/migration.md
+34-24Lines changed: 34 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -119,17 +119,8 @@ The following table describes side-by-side configurations that are *not* recomme
119
119
|||
120
120
121
121
122
-
## How to migrate to Azure Sentinel
123
122
124
-
Use the following steps to migrate from a legacy SIEM to Azure Sentinel:
125
-
126
-
1. Migrate your data
127
-
1. Migrate detection rules
128
-
1. Use automation to streamline processes
129
-
130
-
When you're ready, continue with [retiring your legacy SIEM](#retire-your-legacy-siem).
131
-
132
-
### Migrate your data
123
+
## Migrate your data
133
124
134
125
Make sure that you migrate only the data that represents your current key use cases.
135
126
@@ -155,7 +146,7 @@ Make sure that you migrate only the data that represents your current key use ca
155
146
> As you migrate detections and build use cases in Azure Sentinel, stay mindful of the data you ingest, and verify its value to your key priorities. Revisit data collection conversations to ensure data depth and breadth across your use cases.
156
147
>
157
148
158
-
###Migrate analytics rules
149
+
## Migrate analytics rules
159
150
160
151
Azure Sentinel uses machine learning analytics to create high-fidelity and actionable incidents, and some of your existing detections may be redundant in Azure Sentinel. Therefore, do not migrate all of your detection and analytics rules blindly:
161
152
@@ -177,28 +168,47 @@ Azure Sentinel uses machine learning analytics to create high-fidelity and actio
177
168
178
169
1.**Confirm that you have any required data sources connected,** and review your data connection methods.
179
170
180
-
1. Verify whether your detections are available as built-in templates in Azure Sentinel.
171
+
1. Verify whether your detections are available as built-in templates in Azure Sentinel:
172
+
173
+
-**If the built-in rules are sufficient**, use built-in rule templates to create rules for your own workspace.
174
+
175
+
In Azure Sentinel, go to the **Configuration > Analytics > Rule templates** tab, and create and update each relevant analytics rule.
176
+
177
+
For more information, see [Detect threats out-of-the-box](tutorial-detect-threats-built-in.md).
178
+
179
+
-**If you have detections that aren't covered by Azure Sentinel's built-in rules**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
180
+
181
+
Identify the trigger condition and rule action, and then construct and review your KQL query.
181
182
182
-
|Condition |Steps |
183
-
|---------|---------|
184
-
|**If the built-in rules are sufficient**| Use built-in rule templates to create rules for your own workspace.<br><br> In Azure Sentinel, go to the **Configuration > Analytics > Rule templates** tab, and create and update each relevant analytics rule. For more information, see [Detect threats out-of-the-box](tutorial-detect-threats-built-in.md). |
185
-
|**If you have detections that aren't covered by Azure Sentinel's built-in rules**| Try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL. <br><br>Identify the trigger condition and rule action, and then construct and review your KQL query. |
186
-
|**If neither the built-in rules nor an online rule converter is sufficient** | You'll need to create the rule manually. In such cases, use the following steps to start creating your rule: <br><br>1. **Identify the data sources you want to use in your rule**. <br>You'll want to create a mapping table between data sources and data tables in Azure Sentinel to identify the tables you want to query.<br> <br> 2. **Identify any attributes, fields, or entities** in your data that you want to use in your rules.<br><br> 3. **Identify your rule criteria and logic**. <br>At this stage, you may want to to use rule templates as samples for how to construct your KQL queries. <br><br> Consider filters, correlation rules, activelists, reference sets, watchlists, detection anomalies, aggregations, and so on. You might use references provided by your legacy SIEM to understand how to best map your query syntax.<br><br>For example, see [Sample rule mapping between ArcSight/QRadar and Azure Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md) and [SPL to KQL mapping samples](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md) <br> <br>4. **Identify the trigger condition and rule action**. <br><br>5. **Construct and review your KQL query**. <br>When reviewing your query, consider KQL optimization guidance resources. |
187
-
|||
183
+
-**If neither the built-in rules nor an online rule converter is sufficient**, you'll need to create the rule manually. In such cases, use the following steps to start creating your rule:
188
184
185
+
1.**Identify the data sources you want to use in your rule**. You'll want to create a mapping table between data sources and data tables in Azure Sentinel to identify the tables you want to query.
186
+
187
+
1.**Identify any attributes, fields, or entities** in your data that you want to use in your rules.
188
+
189
+
1.**Identify your rule criteria and logic**. At this stage, you may want to to use rule templates as samples for how to construct your KQL queries.
190
+
191
+
Consider filters, correlation rules, activelists, reference sets, watchlists, detection anomalies, aggregations, and so on. You might use references provided by your legacy SIEM to understand how to best map your query syntax.
192
+
193
+
For example, see:
194
+
195
+
-[Sample rule mapping between ArcSight/QRadar and Azure Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md)
196
+
-[SPL to KQL mapping samples](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md)
197
+
198
+
1.**Identify the trigger condition and rule action, and then construct and review your KQL query**. When reviewing your query, consider KQL optimization guidance resources.
189
199
190
200
1. Test the rule with each of your relevant use cases. If it doesn't provided expected results, you may want to review the KQL and test it again.
191
201
192
202
1. When you're satisfied, you can consider the rule migrated. Create a playbook for your rule action as needed. For more information, see [Automate threat response with playbooks in Azure Sentinel](automate-responses-with-playbooks.md).
193
203
194
-
For more information, see:
204
+
**For more information, see**:
195
205
196
-
-[Create custom analytics rules to detect threats](tutorial-detect-threats-custom.md). Use [alert grouping](tutorial-detect-threats-custom.md#alert-grouping) to reduce alert fatigue by grouping alerts that occur within a given timeframe.
197
-
-[Map data fields to entities in Azure Sentinel](map-data-fields-to-entities.md) to enable SOC engineers to define entities as part of the evidence to track during an investigation. Entity mapping also makes it possible for SOC analysts to take advantage of an intuitive [investigation graph (tutorial-investigate-cases.md#use-the-investigation-graph-to-deep-dive) that can help reduce time and effort.
198
-
-[Investigate incidents with UEBA data](investigate-with-ueba.md), as an example of how to use evidence to surface events, alerts, and any bookmarks associated with a particular incident in the incident preview pane.
199
-
-[Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), which you can use to send read-only requests to your [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial) database to process data and return results. KQL is also used across other Microsoft services, such as [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) and [Application Insights](/azure/azure-monitor/app/app-insights-overview).
206
+
-[**Create custom analytics rules to detect threats**](tutorial-detect-threats-custom.md). Use [alert grouping](tutorial-detect-threats-custom.md#alert-grouping) to reduce alert fatigue by grouping alerts that occur within a given timeframe.
207
+
-[**Map data fields to entities in Azure Sentinel**](map-data-fields-to-entities.md) to enable SOC engineers to define entities as part of the evidence to track during an investigation. Entity mapping also makes it possible for SOC analysts to take advantage of an intuitive [investigation graph (tutorial-investigate-cases.md#use-the-investigation-graph-to-deep-dive) that can help reduce time and effort.
208
+
-[**Investigate incidents with UEBA data**](investigate-with-ueba.md), as an example of how to use evidence to surface events, alerts, and any bookmarks associated with a particular incident in the incident preview pane.
209
+
-[**Kusto Query Language (KQL)**](/azure/data-explorer/kusto/query/), which you can use to send read-only requests to your [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial) database to process data and return results. KQL is also used across other Microsoft services, such as [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) and [Application Insights](/azure/azure-monitor/app/app-insights-overview).
200
210
201
-
###Use automation in Azure Sentinel
211
+
## Use automation to streamline processes
202
212
203
213
Use automated workflows to group and prioritize alerts into a common incident, and modify its priority.
0 commit comments