Migrating content from traditional SIEMs to Azure Sentinel | Microsoft Security Blog

In part two of this three-part series, we covered the five types of side-by-side security information and event management (SIEM) configurations commonly used during a long-term migration to Microsoft Azure Sentinel. For part three, we’ll be looking at best practices for migrating your data and detections while operating side-by-side with your on-premises SIEM, as well as ways to maximize Azure Sentinel’s powerful automation capabilities to streamline common tasks.

The information presented here is derived from experiences we’ve accumulated while assisting numerous customer migrations, as well as experiences gained by Microsoft’s own security operations center (SOC) in protecting our IT infrastructure. Typically, the migration to Azure Sentinel is undertaken in three phases: starting with data, then detection rules, and finally by automating workflows.