New Blog Post | Best practices - Migrating detection rules from ArcSight, Splunk, QRadar to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2217588%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Best%20practices%20-%20Migrating%20detection%20rules%20from%20ArcSight%2C%20Splunk%2C%20QRadar%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2217588%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JasonCohen1892_0-1615998171821.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F264879i12B7F7D71781E8A5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JasonCohen1892_0-1615998171821.png%22%20alt%3D%22JasonCohen1892_0-1615998171821.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbest-practices-for-migrating-detection-rules-from-arcsight%2Fba-p%2F2216417%22%20target%3D%22_blank%22%3EBest%20practices%20for%20migrating%20detection%20rules%20from%20ArcSight%2C%20Splunk%20and%20QRadar%20to%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EA%20key%20task%20that%20faces%20customers%20who%20continue%20to%20migrate%20from%20other%20SIEM%20solutions%20to%20Azure%20Sentinel%20is%20translating%20existing%20detection%20rules%20into%20rules%20that%20map%20to%20Azure%20Sentinel%20as%20accurately%20as%20possible.%20However%2C%20Azure%20Sentinel%20offers%20significant%20advantages%20around%20the%20analytics%20rules%20pillar%20that%20make%20SIEM%20migrations%20a%20worthwhile%20effort.%20Some%20of%20these%20features%20include%20four%20built-in%20rule%20types%20(discussed%20later%20in%20this%20blog)%2C%20alert%20grouping%2C%20event%20grouping%2C%20entity%20mapping%2C%20evidence%20summary%2C%20and%20a%20powerful%20query%20language%20that%20can%20be%20used%20across%20other%20Microsoft%20solutions%20such%20as%20Microsoft%20Defender%20for%20Endpoint%20and%20Application%20Insights.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

JasonCohen1892_0-1615998171821.png

Best practices for migrating detection rules from ArcSight, Splunk and QRadar to Azure Sentinel - Mi...

A key task that faces customers who continue to migrate from other SIEM solutions to Azure Sentinel is translating existing detection rules into rules that map to Azure Sentinel as accurately as possible. However, Azure Sentinel offers significant advantages around the analytics rules pillar that make SIEM migrations a worthwhile effort. Some of these features include four built-in rule types (discussed later in this blog), alert grouping, event grouping, entity mapping, evidence summary, and a powerful query language that can be used across other Microsoft solutions such as Microsoft Defender for Endpoint and Application Insights.

0 Replies