cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

vijayyadav351
Copper Contributor

‎Sep 17 2020 09:36 AM

‎Sep 17 2020 09:36 AM

Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

The key challenge which we are facing is to migrate existing SIEM(QRadar, ArcSight) solution use cases to Sentinel Use cases. We tried uncoder.io but even that is not helpful to 1%. Please support if some one is having good way to execute it.  

3,060 Views
0 Likes
4 Replies
Reply
4 Replies
mergene

‎Sep 19 2020 12:13 PM

‎Sep 19 2020 12:13 PM

RE: Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

You can convert only the queries. Use cases in ArcSight ESM or QRadar has to be rebuilt on Sentinel manually.
0 Likes
Reply
Gary Bushey

‎Sep 20 2020 06:15 AM

‎Sep 20 2020 06:15 AM

Re: Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

@vijayyadav351 You can also check places like SocPrime that have a repository of alert rules to see if the ones you need in your other system are present and then export those as Azure Sentinel rules.

0 Likes
Reply
vijayyadav351

‎Sep 20 2020 08:59 AM

‎Sep 20 2020 08:59 AM

RE: Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

@mergene but I am unable to convert query also. You mean using undecoder.io or there is other way available.  

0 Likes
Reply
Erdem Erdogan

‎Apr 08 2021 02:39 AM

‎Apr 08 2021 02:39 AM

Re: Conversion of Existing SIEM(QRadar, Arcsight) rule to Sentinel

This article covers the related best practices comprehensively.

Best practices for migrating detection rules from ArcSight, Splunk and QRadar to Azure Sentinel
https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-migrating-detection-rules-f...
0 Likes
Reply