Special thanks: @Javier Soriano, @Jeremy Tan , @Hesham Saad, @Sreedhar Ande, @Matt_Lowe, @BindiyaPriyadarshini, @Inwafula , @Umesh_Nagdev, @Limor Wainstein, @chaitra_satish for all the content you contributed!
As the digital estate grows, security analysts need visibility across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds to protect their organization and automatically respond to threats. Security Operations Center (SOC) personnel are often overwhelmed with legacy Security Information and Event Management (SIEM) solutions that cannot scale with growing data, false security alerts and incidents, and struggle with manual management of multiple SIEM and security orchestration, automation, and response (SOAR) solutions. This is labor, time and cost intensive resulting in many critical alerts being uninvestigated and ignored while creating blind spots and leaving the organization vulnerable to cyberattacks.
What organizations need is a modern, cloud-native SIEM that addresses these challenges by automatically collecting data and at scale, detects unknown threats, investigates threats with artificial intelligence (AI), and responds to incidents rapidly with built-in automation and remediation. To help security analysts focus on identifying and triaging critical threats, Microsoft has published a new guide – Plan your Migration to Microsoft Sentinel to overcome these challenges and help customers in their migration journey to Microsoft Sentinel.
This new guide focuses on the following areas:
The guide provides information, processes, and navigation tips to migrate from three major third-party SIEMs (ArcSight, Splunk and QRadar) to Microsoft Sentinel.
Planning the migration is a critical initial phase in the overall migration project. A typical migration process has four phases - Discover, Design, Implement and Operationalize. The guide will take you through each of these phases, key activities, and the most important deliverables in each of them.
Additionally, we created a dedicated tracking workbook where you can track your migration to Microsoft Sentinel, visualize your migration process and track different artifacts Microsoft Sentinel provides - data connectors, analytics rules, workbooks, automation and UEBA.
This is one of the pillars where we have focused on migration from ArcSight, Splunk and QRadar. The guide provides generic steps to identify the right rules to migrate, a comparison of rule terminology between the two SIEMs, and in-depth instructions on how different rule structures can be migrated to Microsoft Sentinel’s Kusto Query Language (KQL).
In the guide you will find information on identifying SOAR use cases and migrating to Microsoft Sentinel automation capabilities (automation rules and playbooks) from ArcSight, Splunk and QRadar SOAR. To simplify the process, we provide:
Many customers are required to keep their historical data for compliance and/or regulatory reasons. We created specific guidance and tools to assist customers to decide which option of migrating their historical data would be the most suitable for them and how can they accelerate it with dedicated tools. We focus on migration from ArcSight, Splunk and QRadar with emphasis on how to export the historical data, choosing the target platform and the migration tools. Here’s a short introduction to the content:
We understand adopting a new technology can be challenging. To address this, we have built this article to help security analysts update their SOC and processes when migrating to Microsoft Sentinel. The article describes the various stages of incident handling (Assign, Triage, Investigate and Respond) and how they are normally performed in Microsoft Sentinel. With the mapping table, analysts can compare the main concepts of legacy SIEM to Microsoft Sentinel.
No matter where you are in your SEIM migration journey, we at Microsoft are here to help and ensure you have all the right resources to simplify the process. We hope you find the migration guide resourceful. As always, feel free to provide feedback and share your experience with us below!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.