You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/migration-qradar-detection-rules.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,9 @@ description: Identify, compare, and migrate your QRadar detection rules to Micro
4
4
author: EdB-MSFT
5
5
ms.author: edbaynash
6
6
ms.topic: how-to
7
-
ms.date: 05/03/2022
7
+
ms.date: 07/03/2025
8
8
9
-
10
-
#Customer intent: As a security engineer, I want to migrate QRadar detection rules to Microsoft Sentinel so that analysts can leverage machine learning analytics and built-in rules for more efficient threat detection and incident response.
9
+
#Customer intent: As a security engineer, I want to migrate QRadar detection rules to Microsoft Sentinel so that analysts can leverage machine learning analytics for more efficient threat detection and incident response.
11
10
12
11
---
13
12
@@ -24,11 +23,11 @@ Microsoft Sentinel uses machine learning analytics to create high-fidelity and a
24
23
- Check that you understand the [rule terminology](#compare-rule-terminology).
25
24
- Review any rules that haven't triggered any alerts in the past 6-12 months, and determine whether they're still relevant.
26
25
- Eliminate low-level threats or alerts that you routinely ignore.
27
-
- Use existing functionality, and check whether Microsoft Sentinel’s [built-in analytics rules](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) might address your current use cases. Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it’s likely that some of your existing detections won’t be required anymore.
26
+
- Use existing functionality and check whether Microsoft Sentinel’s [built-in analytics rules](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) might address your current use cases. Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it’s likely that some of your existing detections won’t be required anymore.
28
27
- Confirm connected data sources and review your data connection methods. Revisit data collection conversations to ensure data depth and breadth across the use cases you plan to detect.
29
-
- Explore community resources such as the [SOC Prime Threat Detection Marketplace](https://my.socprime.com/platform-overview/) to check whether your rules are available.
28
+
- Explore community resources such as the [SOC Prime Threat Detection Marketplace](https://my.socprime.com/platform-overview/) to check whether your rules are available.
30
29
- Consider whether an online query converter such as Uncoder.io might work for your rules.
31
-
- If rules aren’t available or can’t be converted, they need to be created manually, using a KQL query. Review the [rules mapping](#map-and-compare-rule-samples) to create new queries.
30
+
- If rules aren't available or can't be converted, they need to be created manually, using a KQL query. Review the [rules mapping](#map-and-compare-rule-samples) to create new queries.
32
31
33
32
Learn more about [best practices for migrating detection rules](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/best-practices-for-migrating-detection-rules-from-arcsight/ba-p/2216417).
34
33
@@ -42,25 +41,26 @@ Learn more about [best practices for migrating detection rules](https://techcomm
42
41
43
42
1.**Confirm that you have any required data sources connected,** and review your data connection methods.
44
43
45
-
1. Verify whether your detections are available as built-in templates in Microsoft Sentinel:
44
+
1. Verify whether your detections are available as builtin templates in the Content Hub:
46
45
47
-
-**If the built-in rules are sufficient**, use built-in rule templates to create rules for your own workspace.
46
+
-**If the builtin rules are sufficient**, install the relevant solutions and use the templates to create rules for your workspace.
48
47
49
-
In Microsoft Sentinel, go to the **Configuration > Analytics > Rule templates** tab, and create and update each relevant analytics rule.
48
+
1. In Microsoft Sentinel, go to **Content management > Content hub**.
49
+
1. Search for and install the relevant analytics rule.
50
50
51
-
For more information, see [Create scheduled analytics rules from templates](create-analytics-rule-from-template.md).
51
+
For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md) and [Create scheduled analytics rules from templates](create-analytics-rule-from-template.md).
52
52
53
-
-**If you have detections that aren't covered by Microsoft Sentinel's built-in rules**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
53
+
-**If you have detections that aren't covered by the builtin rules available in theContent Hub**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
54
54
55
55
Identify the trigger condition and rule action, and then construct and review your KQL query.
56
56
57
-
-**If neither the built-in rules nor an online rule converter is sufficient**, you'll need to create the rule manually. In such cases, use the following steps to start creating your rule:
57
+
-**If neither Content Hub solutions nor an online rule converter is sufficient**, you'll need to create the rule manually. In such cases, use the following steps to start creating your rule:
58
58
59
59
1.**Identify the data sources you want to use in your rule**. You'll want to create a mapping table between data sources and data tables in Microsoft Sentinel to identify the tables you want to query.
60
60
61
61
1.**Identify any attributes, fields, or entities** in your data that you want to use in your rules.
62
62
63
-
1.**Identify your rule criteria and logic**. At this stage, you may want to use rule templates as samples for how to construct your KQL queries.
63
+
1.**Identify your rule criteria and logic**. At this stage, you may want to use rule templates as samples for how to construct your KQL queries as samples for how to construct your KQL queries.
64
64
65
65
Consider filters, correlation rules, active lists, reference sets, watchlists, detection anomalies, aggregations, and so on. You might use references provided by your legacy SIEM to understand [how to best map your query syntax](#map-and-compare-rule-samples).
66
66
@@ -73,7 +73,7 @@ Learn more about [best practices for migrating detection rules](https://techcomm
73
73
Learn more about analytics rules:
74
74
75
75
-[**Scheduled analytics rules in Microsoft Sentinel**](scheduled-rules-overview.md). Use [alert grouping](scheduled-rules-overview.md#alert-grouping) to reduce alert fatigue by grouping alerts that occur within a given timeframe.
76
-
-[**Map data fields to entities in Microsoft Sentinel**](map-data-fields-to-entities.md) to enable SOC engineers to define entities as part of the evidence to track during an investigation. Entity mapping also makes it possible for SOC analysts to take advantage of an intuitive [investigation graph(investigate-cases.md#use-the-investigation-graph-to-deep-dive) that can help reduce time and effort.
76
+
-[**Map data fields to entities in Microsoft Sentinel**](map-data-fields-to-entities.md) to enable SOC engineers to define entities as part of the evidence to track during an investigation. Entity mapping also makes it possible for SOC analysts to take advantage of an intuitive [investigation graph](investigate-cases.md#use-the-investigation-graph-to-deep-dive) that can help reduce time and effort.
77
77
-[**Investigate incidents with UEBA data**](investigate-with-ueba.md), as an example of how to use evidence to surface events, alerts, and any bookmarks associated with a particular incident in the incident preview pane.
78
78
-[**Kusto Query Language (KQL)**](/kusto/query/?view=microsoft-sentinel&preserve-view=true), which you can use to send read-only requests to your [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial) database to process data and return results. KQL is also used across other Microsoft services, such as [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) and [Application Insights](/azure/azure-monitor/app/app-insights-overview).
79
79
@@ -399,7 +399,7 @@ Here's the sample rule in QRadar.
399
399
400
400
```kusto
401
401
CommonSecurityLog
402
-
| where SourceIP in (“10.1.1.1”,”10.2.2.2”)
402
+
| where SourceIP in ("10.1.1.1","10.2.2.2")
403
403
```
404
404
### Log source tests syntax
405
405
@@ -429,4 +429,4 @@ OfficeActivity
429
429
In this article, you learned how to map your migration rules from QRadar to Microsoft Sentinel.
430
430
431
431
> [!div class="nextstepaction"]
432
-
> [Migrate your SOAR automation](migration-qradar-automation.md)
432
+
> [Migrate your SOAR automation](migration-qradar-automation.md)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments