Today we're announcing the general availability of the SIEM Migration experience in Microsoft Sentinel, that unlocks the capability to bring over your SIEM detections into Microsoft Sentinel. This is an initial step in the direction to help customers accelerate and simplify migrations to Microsoft Sentinel. Migrating a SIEM solution is often complex, resource-intensive, and expensive and current processes in this space are manual and arduous.
The experience supports SIEM migrations from Splunk to Microsoft Sentinel. The migration experience is compatible with both Splunk Enterprise and Splunk Cloud editions. At GA, this experience supports migration of Splunk detections to Microsoft Sentinel analytics rules with scope of simple, single table queries based on Splunk CIM. It includes capabilities to determine the level of migration success for each detection with a built-in editor to modify the query before bringing it over.
Get started with the SIEM migration experience
Prerequisites
As you prepare to migrate Splunk detections to Microsoft Sentinel you will need:
SIEM migration experience flow
The analysis highlights the Translation State of the query translation from SPL to KQL. Splunk alerts can have any one of the following states:
You can edit any of the partially translated or not translated rules to fix and include in the migration scope as illustrated below. The editor flags errors where fixes would be needed to get a functionally valid KQL. Over time we plan to expand translation coverage and success to reduce partially and not translated states and reduce toil.
Download Migration Summary enables you to get a summary of the Analytics deployment.
We plan to continue to invest and evolve this migration experience with the following top priorities:
For more information on the migration experience and Microsoft Sentinel check out these resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.