You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/get-started/siem-migration.md
+31-7Lines changed: 31 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
-
# AI-powered SIEM migration
1
+
# Automatic migration
2
2
3
3
::::{warning}
4
4
This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
5
5
::::
6
6
7
-
Elastic's AI-powered SIEM migration helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({{esql}}). It simplifies onboarding by matching your rules to Elastic-authored rules, if comparable rules exist. Otherwise, it automatically translates rules on the fly so you can verify and edit them instead of rewriting them from scratch.
7
+
Automatic Migration for detection rules helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({{esql}}). It simplifies onboarding by matching your rules to Elastic-authored rules, if comparable rules exist. Otherwise, it automatically translates rules on the fly so you can verify and edit them instead of rewriting them from scratch.
8
8
9
9
You can ingest your data before migrating your rules, or migrate your rules first, in which case the tool will recommend which data sources you need to power your migrated rules.
10
10
@@ -14,13 +14,14 @@ You can ingest your data before migrating your rules, or migrate your rules firs
14
14
* {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
15
15
* {{Stack}} users: {{ml}} must be enabled.
16
16
* {{serverless-short}} users: a [Security Complete](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription.
17
+
* {{ecloud}} users: {{ml}} must be enabled. We recommend a minimum size of 4GB of RAM per {ml} zone.
17
18
18
19
::::
19
20
20
-
## Get started with AI-powered SIEM migration
21
+
## Get started with Automatic Migration
21
22
22
23
1. Find **Get started** in the navigation menu or use the [global search bar](/explore-analyze/find-and-organize/find-apps-and-objects.md).
23
-
2. Under **Configure AI provider** select a model, or [add a new one](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md). For information on how different models perform, refer to the [LLM performance matrix](../../../solutions/security/ai/large-language-model-performance-matrix.md).
24
+
2. Under **Configure AI provider**you can use Elastic LLM, select another configured model, or [add a new one](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md). For information on how different models perform, refer to the [LLM performance matrix](../../../solutions/security/ai/large-language-model-performance-matrix.md).
24
25
3. Next, under **Migrate rules & add data**, click **Translate your existing SIEM rules to Elastic**, then **Upload rules**.
25
26
4. Follow the instructions on the **Upload Splunk SIEM rules** flyout to export your rules from Splunk as JSON.
26
27
@@ -50,7 +51,7 @@ You can ingest your data before migrating your rules, or migrate your rules firs
50
51
If the file is large, you may need to separate it into multiple parts and upload them individually to avoid exceeding your LLM's context window.
51
52
::::
52
53
53
-
6. After you upload your Splunk rules, SIEM migration will detect whether they use any Splunk macros or lookups. If so, follow the instructions which appear to export and upload them. Alternatively, you can complete this step later — however, until you upload them, some of your migrated rules will have a `partially translated` status. If you upload them now, you don't have to wait on the page for them to be processed — a notification will appear when processing is complete.
54
+
6. After you upload your Splunk rules, Automatic Migration will detect whether they use any Splunk macros or lookups. If so, follow the instructions which appear to export and upload them. Alternatively, you can complete this step later — however, until you upload them, some of your migrated rules will have a `partially translated` status. If you upload them now, you don't have to wait on the page for them to be processed — a notification will appear when processing is complete.
54
55
55
56
7. Click **Translate** to start the rule translation process. You don't need to stay on this page. A notification will appear when the process is complete.
56
57
@@ -72,7 +73,12 @@ When you upload a new batch of rules, they are assigned a name and number, for e
72
73
The table's fields are as follows:
73
74
74
75
***Name:** The names of Elastic authored rules cannot be edited until after rule installation. To edit the name of a custom translated rule, click the name and select **Edit**.
75
-
***Status:** The rule's translation status.
76
+
***Status:** The rule's translation status:
77
+
*`Installed`: Already added to Elastic SIEM. Click **View** to manage and enable it.
78
+
*`Translated`: Ready to install. This rule was mapped to an Elastic-authored rule, or translated by Automatic Import. Click **Install** to install it.
79
+
*`Partially translated`: Part of the query could not be translated. You may need to specify an index pattern for the rule query, upload missing macros or lookups, or fix broken rule syntax.
80
+
*`Not translated`: None of the original query could be translated.
81
+
*`Error`: Rule translation failed. Refer to the the error details.
76
82
***Risk Score:** For Elastic authored rules, risk scores are predefined. For custom translated rules, risk scores are defined as follows:
77
83
* If the source rule has a field comparable to Elastic's risk score, we use that value.
78
84
* Otherwise, if the source rule has a field comparable to Elastic's rule severity field, we base the risk score on that value according to these [guidelines](/solutions/security/detect-and-alert/create-detection-rule.md#custom-highlighted-esql-fields).
@@ -87,7 +93,7 @@ The table's fields are as follows:
87
93
| 4 (High) | High |
88
94
| 5 (Critical) | Critical |
89
95
90
-
***Author:** Shows one of two possible values: `Elastic`, or `Custom`. Elastic authored rules are created by Elastic and update automatically. Custom rules are translated by the SIEM migration tool or your team, and do not update automatically.
96
+
***Author:** Shows one of two possible values: `Elastic`, or `Custom`. Elastic authored rules are created by Elastic and update automatically. Custom rules are translated by the Automatic Migration tool or your team, and do not update automatically.
91
97
***Integrations:** Shows the number of Elastic integrations that must be installed to provide data for the rule to run successfully.
92
98
***Actions:** Allows you to click **Install** to add a rule to Elastic. Installed rules must also be enabled before they will run. To install rules in bulk, select the check box at the top of the table before clicking **Install**.
93
99
@@ -117,3 +123,21 @@ If you haven't yet ingested your data, you will likely encounter `Unknown index`
117
123
118
124
The rule details flyout which appears when you click on a rule's name in the **Translate rules** table has two other tabs, **Overview** and **Summary**. The **Overview** tab displays information such as the rule's severity, risk score, rule type, and how frequently it runs. The **Summary** tab explains the logic behind how the rule was translated, such as why specific {{esql}} commands were used, or why a source rule was mapped to a particular Elastic authored rule.
119
125
126
+
127
+
# FAQ (Frequently asked questions)
128
+
129
+
**How does Automatic Migration handle rules that can't be exactly translated, such as due to feature parity issues?**
130
+
131
+
After translation, rules that can't be translated appear with a status of either partially translated (yellow) or not translated (red). From there, you can address them individually.
132
+
133
+
**How does Automatic Migration handle Splunk rules which lookup other indices?**
134
+
135
+
Rules that fall into this category will typically appear with a status of partially translated. Lookup JOINs are currently a tech preview {{esql}} which can help in this situation.
136
+
137
+
**Are nested macros supported?**
138
+
139
+
Yes, Automatic Migration can handle nested macros.
140
+
141
+
**How can we ensure rules stay up to date?**
142
+
143
+
Automatic Migration maps your rules to Elastic-authored rules whenever possible, which are updated automatically. Like all custom rules, rules created by Automatic Migration must be maintained by you.
0 commit comments