Modernizing your on-prem SIEM with Microsoft Sentinel – part 2

So you want to migrate your on-prem SIEM to Microsoft Sentinel?

What kind of tasks you have thought so far? Some planning maybe?

Here are some task what I have in my mind. These are just tasks, no need to do all of them or in that order. This is just a guideline. Also week numbers are adjustable so no need to wait if you have all information to proceed earlier.

It might take more or less time. It depends on your environment size and skills of project staff.

Table of Contents

Some very high level phases (select your own phases)

PhaseKey Activities

1. Assessment & Planning

Inventory, cost modeling, roadmap

2. Setup & Configuration

Deploy workspace, roles, and core connectors

3. (Pilot) Deployment

The hard work 🙂

4. Migration Execution

The hard work  part 2 🙂

5.Optimization

Parallel run, tuning, SOC training

6. Decommission

Switch over and decommission legacy SIEM

1.Assessment & Planning (Preparation Phase) (Weeks 1-3)

  • Inventory your data sources look from your current setup of on-prem data sources and then add (or decrease) data sources to connect( or to remove) cloud siem 

  • Gap analysis between existing SIEM and Sentinel capabilities

  • Map retention requirements (e.g., PCI DSS, GDPR) aka how long the ingested data should be storaged.

  • Estimate costs: use Azure Pricing Calculator for data ingestion and storage. NOTE this is only estimation because for example for servers there are Sentinel ingestion discount if you use Defender for Servers P2. To advance about this  you need to bring them to Azure by using Azure Arc.

  • Plan architecture:

    • Decide on number of Sentinel workspaces (single vs multi-tenant)

    • Plan RBAC roles and access controls for SOC teams

Timeline suggestion for the on-prem migration. SOURCE: jussimetso.com

2.Setup & Configuration (Foundation Phase) (Weeks 4-6)

  • Establish connectivity from on-prem to Azure

  • Provision Azure environment and Microsoft Sentinel workspace(s)

  • Configure Azure Log Analytics workspaces

  • Deploy Sentinel on a Log Analytics workspace

  • Configure RBAC roles for Sentinel usage:

    • Owner, Contributor…and SOC tier roles

  • Connect Microsoft security tools:

    • Entra ID, Microsoft 365, Defender XDR (Identity, Endpoints, Cloud Apps, Office365), Purview

  • Enable diagnostic logging in Azure resources

3. (Pilot) Deployment (Weeks 7-9)

  • Connect critical data sources (e.g., firewalls, Active Directory) and all other data sources with Sentinel data connectors if available

  • Forward on-premises logs:

    • Install Azure monitor agents for Windows/Linux servers

    • Or onboard them with Azure Arc

    • Configure Syslog/CEF connectors for firewalls and appliances

  • Normalize custom data to Sentinel schemas with ASIM parsers

  • Implement baseline for analytics rules and alerts

  • Validate data ingestion, parsing, and correlation

  • Conduct end-to-end testing

4. Migration Execution (Weeks 10-13)

  • Review existing on-premises SIEM correlation rules

  • Map detections to Sentinel analytics rule templates

  • Rebuild custom detection logic using Kusto Query Language (KQL)

  • Validate mappings for:

    • MITRE ATT&CK techniques

    • Alert severity and SOC triage processes

  • Gradually shift remaining data sources to Sentinel

  • Migrate existing rules, reports, and alerts

  • Implement automation via Playbooks and SOAR capabilities

  • Continuous monitoring and troubleshooting during migration

5. Optimization (Weeks 14-16)

  • Recreate existing automation workflows in Sentinel Playbooks (Logic Apps)

    • Example: auto-ticket creation, notifying Teams/Slack

  • Test playbooks for accuracy and scope

  • Leverage built-in Sentinel automation rules for enrichment and response

  • Run Sentinel in parallel with on-prem SIEM

    • Compare alert fidelity and dashboards

  • Fine-tune analytics rules to reduce false positives

  • Perform test attack scenarios (e.g., simulated phishing, lateral movement)

  • Tune analytics rules, playbooks, and alerts

  • Optimize cost and performance

6. Decommission Legacy SIEM (Weeks 17+)

  • Finalize migration of all critical data sources

  • Export and archive historical logs for compliance (if required)

  • Fully transition SOC operations to Sentinel

  • Retire or repurpose on-premises SIEM infrastructure

  • Regular training and skill development for analysts

  • Continuous improvement based on feedback and monitoring

  • Schedule periodic assessments and tuning

Export historic on-prem log data to Azure

  • One of the important decisions you make during your migration process is where to store your historical data. To make this decision, you need to understand and be able to compare the various target platforms. Here are some help to do it.

Microsoft's guidance for the migration

Microsoft have also guidance how to do the migration. You can check it on MS Learn.

Microsoft Sentinel migration phases. SOURCE: MS learn

There are ready made migration guidance in MS Learn if you are migrating from these services:

Even if there are not other systems guidance available they all are following the same basic instructions. 

But I hope that the instructions for SentinelOne, ElasticSearch and LogPoint are coming soon.

Picture of Jussi Metso
Jussi Metso

Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

SENTINEL

Related Posts