Migration to Microsoft Sentinel made easy
Published Jun 29 2022 01:35 AM 5,024 Views

Special thanks: @Javier Soriano@Jeremy Tan , @Hesham Saad@Sreedhar Ande@Matt_Lowe@BindiyaPriyadarshini, @Inwafula , @umnagdev, @Limor Wainstein, @chaitra_satish  for all the content you contributed!


As the digital estate grows, security analysts need visibility across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds to protect their organization and automatically respond to threats. Security Operations Center (SOC) personnel are often overwhelmed with legacy Security Information and Event Management (SIEM) solutions that cannot scale with growing data, false security alerts and incidents, and struggle with manual management of multiple SIEM and security orchestration, automation, and response (SOAR) solutions. This is labor, time and cost intensive resulting in many critical alerts being uninvestigated and ignored while creating blind spots and leaving the organization vulnerable to cyberattacks.


What organizations need is a modern, cloud-native SIEM that addresses these challenges by automatically collecting data and at scale, detects unknown threats, investigates threats with artificial intelligence (AI), and responds to incidents rapidly with built-in automation and remediation. To help security analysts focus on identifying and triaging critical threats, Microsoft has published a new guide – Plan your Migration to Microsoft Sentinel to overcome these challenges and help customers in their migration journey to Microsoft Sentinel.

This new guide focuses on the following areas:

  • Planning your migration
  • Migrating detection rules
  • Migrating SOAR
  • Migrating historical data
  • Converting dashboards to workbooks
  • Upgrading SOC processes

The guide provides information, processes, and navigation tips to migrate from three major third-party SIEMs (ArcSight, Splunk and QRadar) to Microsoft Sentinel.


Planning the migration is a critical initial phase in the overall migration project. A typical migration process has four phases - Discover, Design, Implement and Operationalize. The guide will take you through each of these phases, key activities, and the most important deliverables in each of them.




Additionally, we created a dedicated tracking workbook where you can track your migration to Microsoft Sentinel, visualize your migration process and track different artifacts Microsoft Sentinel provides - data connectors, analytics rules, workbooks, automation and UEBA.




Migrating detection rules

This is one of the pillars where we have focused on migration from ArcSight, Splunk and QRadar. The guide provides generic steps to identify the right rules to migrate, a comparison of rule terminology between the two SIEMs, and in-depth instructions on how different rule structures can be migrated to Microsoft Sentinel’s Kusto Query Language (KQL).


Migrating SOAR

In the guide you will find information on identifying SOAR use cases and migrating to Microsoft Sentinel automation capabilities (automation rules and playbooks) from ArcSight, Splunk and QRadar SOAR. To simplify the process, we provide:

  • Terminology mapping
  • Comparison between the automation workflows of SOAR platforms with Microsoft Sentinel



Migrate historical data

Many customers are required to keep their historical data for compliance and/or regulatory reasons. We created specific guidance and tools to assist customers to decide which option of migrating their historical data would be the most suitable for them and how can they accelerate it with dedicated tools. We focus on migration from ArcSight, Splunk and QRadar with emphasis on how to export the historical data, choosing the target platform and the migration tools. Here’s a short introduction to the content:

  • How to export historical data from ArcSight, Splunk and QRadar. These articles talk about the different mechanisms available in each of those SIEMs to extract historical data in a format that can then be easily migrated to other platforms.
  • Choosing the target platform and the migration tool for your historical logs. The first one focuses on the different factors that may affect your decision on where to move your historical logs to. This would obviously depend on the use you want to have of those logs.
  • Moving your logs into the target platform. Depending on the selected target platform, the migration method will vary, here we discuss those details.



Update SOC processes

We understand adopting a new technology can be challenging. To address this, we have built this article to help security analysts update their SOC and processes when migrating to Microsoft Sentinel. The article describes the various stages of incident handling (Assign, Triage, Investigate and Respond) and how they are normally performed in Microsoft Sentinel. With the mapping table, analysts can compare the main concepts of legacy SIEM to Microsoft Sentinel.


No matter where you are in your SEIM migration journey, we at Microsoft are here to help and ensure you have all the right resources to simplify the process. We hope you find the migration guide resourceful. As always, feel free to provide feedback and share your experience with us below!


Additional Resources

Track your Microsoft Sentinel Migration with a Workbook

Convert dashboards to Azure workbooks

Version history
Last update:
‎Jun 29 2022 07:07 AM
Updated by: