You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/siem-migration.md
+15-8Lines changed: 15 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -101,21 +101,26 @@ Here are some of the priorities that are important to us as we continue to devel
101
101
> [!NOTE]
102
102
> Check the schema of the data types and fields used in the rule logic. Microsoft Sentinel Analytics require that the data type be present in the Log Analytics Workspace before the rule is enabled. It's also important the fields used in the query are accurate for the defined data type schema.
103
103
104
+
1. Highlight a rule to resolve translation and select **Edit**. When you are satisfied with the results, select **Save Changes**.
105
+
106
+
1. Switch on the **Ready to deploy** toggle for Analytics rules you want to deploy.
107
+
104
108
1. When the review is complete, select **Review and migrate**.
105
109
106
110
## Deploy the Analytics rules
107
111
108
-
1.(Optional) Select **Export Templates** to download the Analytics rules as ARM templates for us in your CI/CD or custom deployment processes.
112
+
1. Select **Deploy**.
109
113
110
-
:::image type="content" source="media/siem-migration/export-templates.png" alt-text="Screenshot showing the Review and Migrate tab highlighting the Export Templates button.":::
111
-
112
-
1.**Deploy** starts the deployment of the selected analytics rules to your Microsoft Sentinel workspace.
114
+
| Translation Type | Resource deployed |
115
+
|:----|:---|
116
+
| Out of the box | The corresponding solutions from **Content hub** that contain the matched analytics rule templates are installed. The matched rules are deployed as active analytics rules in the disabled state. <br><br>For more information, see [Manage Analytics rule templates](manage-analytics-rule-templates.md). |
117
+
| Custom | Rules are deployed as active analytics rules in the disabled state. |
113
118
114
-
The following resources are deployed:
115
-
- For all OOTB matches, the corresponding solutions with the matched analytics rule are installed, and the matched rules are deployed as active analytics rules.
116
-
- All custom rules translated to Sentinel analytics rules are deployed as active analytics rules in the disabled state.
119
+
1. (Optional) Choose Analytics rules and select **Export Templates** to download them as ARM templates for use in your CI/CD or custom deployment processes.
117
120
118
-
1. Before exiting the SIEM Migration experience, **Download Migration Summary** to keep a summary of the Analytics deployment.
121
+
:::image type="content" source="media/siem-migration/export-templates.png" alt-text="Screenshot showing the Review and Migrate tab highlighting the Export Templates button.":::
122
+
123
+
1. Before exiting the SIEM Migration experience, select **Download Migration Summary** to keep a summary of the Analytics deployment.
119
124
120
125
:::image type="content" source="media/siem-migration/download-migration-summary.png" alt-text="Screenshot showing the Download Migration Summary button from the Review and Migrate tab.":::
121
126
@@ -135,6 +140,8 @@ Here are some of the priorities that are important to us as we continue to devel
135
140
136
141
1. Enable rules after you review and verify them.
137
142
143
+
:::image type="content" source="media/siem-migration/enable-deployed-translated-rules.png" alt-text="Screenshot showing Analytics rules with deployed Splunk rules highlighted ready to be enabled.":::
144
+
138
145
## Next step
139
146
140
147
In this article, you learned how to use the SIEM migration experience.
0 commit comments