|
1 | 1 | --- |
2 | 2 | title: Migrate Splunk SOAR automation to Microsoft Sentinel | Microsoft Docs |
3 | 3 | description: Learn how to identify SOAR use cases, and how to migrate your Splunk SOAR automation to Microsoft Sentinel. |
4 | | -author: limwainstein |
5 | | -ms.author: lwainstein |
| 4 | +author: austinmccollum |
| 5 | +ms.author: austinmc |
6 | 6 | ms.topic: how-to |
7 | | -ms.date: 05/03/2022 |
| 7 | +ms.date: 09/11/2024 |
| 8 | +#customer intent: As a SOC administrator, I want to migrate Splunk SOAR automations to Microsoft Sentinel playbooks or automation rules. |
8 | 9 | --- |
9 | 10 |
|
10 | 11 | # Migrate Splunk SOAR automation to Microsoft Sentinel |
11 | 12 |
|
12 | | -Microsoft Sentinel provides Security Orchestration, Automation, and Response (SOAR) capabilities with [automation rules](automate-incident-handling-with-automation-rules.md) and [playbooks](tutorial-respond-threats-playbook.md). Automation rules automate incident handling and response, and playbooks run predetermined sequences of actions to response and remediate threats. This article discusses how to identify SOAR use cases, and how to migrate your Splunk SOAR automation to Microsoft Sentinel. |
| 13 | +Microsoft Sentinel provides Security Orchestration, Automation, and Response (SOAR) capabilities with automation rules and playbooks. Automation rules facilitate simple incident handling and response, while playbooks run more complex sequences of actions to respond and remediate threats. This article discusses how to identify SOAR use cases, and how to migrate your Splunk SOAR automation to Microsoft Sentinel automation rules and playbooks. |
13 | 14 |
|
14 | | -Automation rules simplify complex workflows for your incident orchestration processes, and allow you to centrally manage your incident handling automation. |
15 | | - |
16 | | -With automation rules, you can: |
17 | | -- Perform simple automation tasks without necessarily using playbooks. For example, you can assign, tag incidents, change status, and close incidents. |
18 | | -- Automate responses for multiple analytics rules at once. |
19 | | -- Control the order of actions that are executed. |
20 | | -- Run playbooks for those cases where more complex automation tasks are necessary. |
| 15 | +For more information about the differences between automation rules and playbooks, see the following articles: |
| 16 | +- [Automate threat response with automation rules](automate-incident-handling-with-automation-rules.md) |
| 17 | +- [Automate threat response with playbooks](automation/automate-responses-with-playbooks.md) |
21 | 18 |
|
22 | 19 | ## Identify SOAR use cases |
23 | 20 |
|
24 | | -Here’s what you need to think about when migrating SOAR use cases from Splunk. |
25 | | -- **Use case quality**. Choose good use cases for automation. Use cases should be based on procedures that are clearly defined, with minimal variation, and a low false-positive rate. Automation should work with efficient use cases. |
26 | | -- **Manual intervention**. Automated response can have wide ranging effects and high impact automations should have human input to confirm high impact actions before they’re taken. |
27 | | -- **Binary criteria**. To increase response success, decision points within an automated workflow should be as limited as possible, with binary criteria. Binary criteria reduces the need for human intervention, and enhances outcome predictability. |
28 | | -- **Accurate alerts or data**. Response actions are dependent on the accuracy of signals such as alerts. Alerts and enrichment sources should be reliable. Microsoft Sentinel resources such as watchlists and reliable threat intelligence can enhance reliability. |
29 | | -- **Analyst role**. While automation where possible is great, reserve more complex tasks for analysts, and provide them with the opportunity for input into workflows that require validation. In short, response automation should augment and extend analyst capabilities. |
| 21 | +Here's what you need to think about when migrating SOAR use cases from Splunk. |
| 22 | +- **Use case quality**. Choose automation use cases based on procedures that are clearly defined, with minimal variation, and a low false-positive rate. |
| 23 | +- **Manual intervention**. Automated responses can have wide ranging effects. High impact automations should have human input to confirm high impact actions before they're taken. |
| 24 | +- **Binary criteria**. To increase response success, decision points within an automated workflow should be as limited as possible, with binary criteria. When there are only two variables in the automated decision making, the need for human intervention is reduced and outcome predictability is enhanced. |
| 25 | +- **Accurate alerts or data**. Response actions are dependent on the accuracy of signals such as alerts. Alerts and enrichment sources should be reliable. Microsoft Sentinel resources such as watchlists and threat intelligence with high confidence ratings enhance reliability. |
| 26 | +- **Analyst role**. While automation is great, reserve the most complex tasks for analysts. Provide them with the opportunity for input into workflows that require validation. In short, response automation should augment and extend analyst capabilities. |
30 | 27 |
|
31 | 28 | ## Migrate SOAR workflow |
32 | 29 |
|
|
0 commit comments