How to Plan a Migration from SIEM Solutions to Azure Sentinel

by: Ronald Prasad, Microsoft Services Principal

Migrating to Azure Sentinel  can help make your security operations (SecOps) team more efficient. Microsoft provides a shared responsibility model for Azure Sentinel, which means your team’s time and resources are spent dealing with security, not infrastructure. A cloud-native security information and event management (SIEM) platform such as Azure Sentinel also drives significant cost savings. Recent economic studies found that Azure Sentinel is 48% less expensive than traditional on-premise SIEMs.

Getting started with your SIEM migration project can seem daunting, especially if you have spent years building custom use cases and content for your existing SIEM tool. That is why it’s important to properly plan your migration to ensure that there are no gaps in coverage during the migration, which could put the security of your organization in jeopardy, and to confirm that all use cases and content are fully migrated before the final cutover.

CRITICALSTART has developed a migration plan to help you avoid potential pitfalls and ensure a smooth transition from an existing SIEM to Microsoft Azure Sentinel.

Our four-phased approach  provides instructions on how to plan and perform a full production migration of an existing SIEM to Azure Sentinel, as follows:

Phase 1: Analysis of Existing Deployment

  • Identify all data sources currently feeding into the existing SIEM
    • List all network appliances, such as firewalls.
    • Verify current log collection profiles for network appliances.
    • List all virtual machines/endpoints currently monitored via SIEM.
    • Identify all cloud-native services currently monitored via SIEM.
  • Identify custom use cases, detection rules, and dashboards
    • Identify and analyze all existing detection rules and queries.
    • Identify and analyze any existing SOC flow implementations.
    • List all required security operations center (SOC) reporting dashboards.
  • Identify any automated response (SOAR) use cases
    • Identify and analyze all SOC automated response workflows.
    • Identify any existing ticketing automation workflows.

Phase 2: Side-by-side Deployment

  • Deploy Azure Sentinel
    • Deploy Azure Sentinel in a centralized subscription.
  • Enable Azure Sentinel built-in features and detection
    • Enable built-in detection rules.
    • Enable CEF-based log collection from services that do not have an out-of-the-box data connector in Azure Sentinel.
  • Configure multi-homing for data sources
    • Configure additional log forwarding rules for network appliances to send logs to Azure Sentinel in parallel to existing SIEM.
    • Configure multi-homing for log collection agents for virtual machines/endpoints.
  • Configure live incident sync for both services
  • Conduct SOC Training
    • Educate and train SOC team on how to perform investigations and incident lifecycle management in Azure Sentinel.

Phase 3: Controlled Migration

  • Migrate use case detection rules/queries
  • Migrate dashboards and automation use cases
  • Prepare for final cutover to Azure Sentinel
  • Perform attack simulations to evaluate SOC readiness
    • Perform attack simulation for network-based security products.
  • Fully migrate SOC to Azure Sentinel

Phase 4: Post-Migration


Summary:

The plan outlined above should help you ensure a successful migration. If you need assistance, the CRITICALSTART Cybersecurity Consulting Services for Microsoft Security team has performed numerous migrations to Azure Sentinel for large enterprises and is always available to assist with your migration effort.  CRITICALSTART is a Microsoft MSSP Program Partner and member of the Microsoft Intelligent Security Association.  

Contact your Microsoft or CRITICALSTART sales representative to learn more.


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
©2021 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.