If neither the built-in rules nor an online rule converter is sufficient, you'll need to create the rule manually. Identify the trigger condition and rule action, and then construct and review your KQL query. If you have detections that aren't covered by Microsoft Sentinel's built-in rules, try an online query converter, such as Uncoder.io to convert your queries to KQL. In Microsoft Sentinel, go to the Configuration > Analytics > Rule templates tab, and create and update each relevant analytics rule.įor more information, see Detect threats out-of-the-box. If the built-in rules are sufficient, use built-in rule templates to create rules for your own workspace. Verify whether your detections are available as built-in templates in Microsoft Sentinel: Prepare a validation process for your migrated rules, including full test scenarios and scripts.Įnsure that your team has useful resources to test your migrated rules.Ĭonfirm that you have any required data sources connected, and review your data connection methods. ![]() Verify that you have a testing system in place for each rule you want to migrate. To migrate your analytics rules to Microsoft Sentinel: Learn more about best practices for migrating detection rules. Review the rules mapping to create new queries. If rules aren’t available or can’t be converted, they need to be created manually, using a KQL query.Consider whether an online query converter such as Uncoder.io might work for your rules.Explore community resources such as the SOC Prime Threat Detection Marketplace to check whether your rules are available.Revisit data collection conversations to ensure data depth and breadth across the use cases you plan to detect. Confirm connected data sources and review your data connection methods.Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it’s likely that some of your existing detections won’t be required anymore. Use existing functionality, and check whether Microsoft Sentinel’s built-in analytics rules might address your current use cases.Eliminate low-level threats or alerts that you routinely ignore.Review any rules that haven't triggered any alerts in the past 6-12 months, and determine whether they're still relevant.Check that you understand the rule terminology.Check that you understand Microsoft Sentinel rule types.Make sure to select use cases that justify rule migration, considering business priority and efficiency.Review these considerations as you identify your existing detection rules. Therefore, don't migrate all of your detection and analytics rules blindly. ![]() Microsoft Sentinel uses machine learning analytics to create high-fidelity and actionable incidents, and some of your existing detections may be redundant in Microsoft Sentinel. If you want to migrate your Splunk Observability deployment, learn more about how to migrate from Splunk to Azure Monitor Logs. This article describes how to identify, compare, and migrate your Splunk detection rules to Microsoft Sentinel built-in rules.
0 Comments
Leave a Reply. |