Migrate to Microsoft Sentinel with the SIEM migration experience

Article
03/29/2024
Applies to:

Microsoft Sentinel in the Azure portal

Migrate your SIEM to Microsoft Sentinel for all your security monitoring use cases. Automated assistance from the SIEM Migration experience simplifies your migration.

These features are currently included in the SIEM Migration experience:

Splunk

The experience focuses on migrating Splunk security monitoring to Microsoft Sentinel.
The experience only supports migration of Splunk detections to Microsoft Sentinel analytics rules.

Prerequisites

You need the following from the source SIEM:

Splunk

The migration experience is compatible with both Splunk Enterprise and Splunk Cloud editions.
A Splunk admin role is required to export all Splunk alerts. For more information, see Splunk role-based user access.
Export the historical data from Splunk to the relevant tables in the Log Analytics workspace. For more information, see Export historical data from Splunk

You need the following on the target, Microsoft Sentinel:

The SIEM migration experience deploys analytics rules. This capability requires the Microsoft Sentinel Contributor role. For more information, see Permissions in Microsoft Sentinel.
Ingest security data previously used in your source SIEM into Microsoft Sentinel. Install and enable out-of-the-box (OOTB) data connectors to match your security monitoring estate from your source SIEM.
- If the data connectors aren't installed yet, find the relevant solutions in Content hub.
- If no data connector exists, create a custom ingestion pipeline.
  For more information, see Discover and manage Microsoft Sentinel out-of-the-box content or Custom data ingestion and transformation.

Translate Splunk detection rules

At the core of Splunk detection rules is the Search Processing Language (SPL). The SIEM migration experience systematically translates SPL to Kusto query language (KQL) for each Splunk rule. Carefully review translations and make adjustments to ensure migrated rules function as intended in your Microsoft Sentinel workspace. For more information on the concepts important in translating detection rules, see migrate Splunk detection rules.

Current capabilities:

Translate simple queries with a single data source
Direct translations listed in the article, Splunk to Kusto cheat sheet
Review translated query error feedback with edit capability to save time in the detection rule translation process
Translated queries feature a completeness status with translation states

Here are some of the priorities that are important to us as we continue to develop the translation technology:

Splunk Common Information Model (CIM) to Microsoft Sentinel's Advanced Security Information Model (ASIM) translation support
Support for Splunk macros
Support for Splunk lookups
Translation of complex correlation logic that queries and correlates events across multiple data sources

Start the SIEM migration experience

Navigate to Microsoft Sentinel in the Azure portal, under Content management, select Content hub.
Select SIEM Migration.

Screenshot showing content hub with menu item for the SIEM migration experience.

Upload Splunk detections

From Splunk Web, select Search and Reporting in the Apps panel.
Run the following query:

| rest splunk_server=local count=0 /services/saved/searches | search disabled=0 | table title,search ,*
Select the export button and choose JSON as the format.
Save the file.
Upload the exported Splunk JSON file.

Note

The Splunk export must be a valid JSON file and the upload size is limited to 50 MB.

Screenshot showing the upload files tab.

Configure rules

Select Configure Rules.
Review the analysis of the Splunk export.
- Name is the original Splunk detection rule name.
- Translation Type indicates if a Sentinel OOTB analytics rule matches the Splunk detection logic.
- Translation State has the following values:
  - Fully Translated queries in this rule were fully translated to KQL
  - Partially Translated queries in this rule weren't fully translated to KQL
  - Not Translated indicates an error in translation
  - Manually Translated when any rule is reviewed and saved
Note

Check the schema of the data types and fields used in the rule logic. Microsoft Sentinel Analytics require that the data type be present in the Log Analytics Workspace before the rule is enabled. It's also important the fields used in the query are accurate for the defined data type schema.
Highlight a rule to resolve translation and select Edit. When you are satisfied with the results, select Save Changes.
Switch on the Ready to deploy toggle for Analytics rules you want to deploy.
When the review is complete, select Review and migrate.

Deploy the Analytics rules

Select Deploy.

Translation Type	Resource deployed
Out of the box	The corresponding solutions from Content hub that contain the matched analytics rule templates are installed. The matched rules are deployed as active analytics rules in the disabled state. For more information, see Manage Analytics rule templates.
Custom	Rules are deployed as active analytics rules in the disabled state.

(Optional) Choose Analytics rules and select Export Templates to download them as ARM templates for use in your CI/CD or custom deployment processes.
Before exiting the SIEM Migration experience, select Download Migration Summary to keep a summary of the Analytics deployment.

Validate and enable rules

View the properties of deployed rules from Microsoft Sentinel Analytics.
- All migrated rules are deployed with the Prefix [Splunk Migrated].
- All migrated rules are set to disabled.
- The following properties are retained from the Splunk export wherever possible:
  Severity
  queryFrequency
  queryPeriod
  triggerOperator
  triggerThreshold
  suppressionDuration
Enable rules after you review and verify them.

Next step

In this article, you learned how to use the SIEM migration experience.

Migrate Splunk detection rules