{"id":2521,"date":"2025-07-04T15:22:09","date_gmt":"2025-07-04T12:22:09","guid":{"rendered":"https:\/\/www.jussimetso.com\/?p=2521"},"modified":"2025-07-04T15:22:12","modified_gmt":"2025-07-04T12:22:12","slug":"modernizing-your-on-prem-siem-with-microsoft-sentinel-part-2","status":"publish","type":"post","link":"https:\/\/www.jussimetso.com\/index.php\/2025\/07\/04\/modernizing-your-on-prem-siem-with-microsoft-sentinel-part-2\/","title":{"rendered":"Modernizing your on-prem SIEM with Microsoft Sentinel &#8211; part 2"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2521\" class=\"elementor elementor-2521\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-74a50a5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"74a50a5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a24d0cf\" data-id=\"a24d0cf\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f9cb1c4 elementor-widget elementor-widget-text-editor\" data-id=\"f9cb1c4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>So you want to migrate your on-prem SIEM to Microsoft Sentinel?<\/p><p>What kind of tasks you have thought so far? Some planning maybe?<\/p><p>Here are some task what I have in my mind. These are just tasks, no need to do all of them or in that order. This is just a guideline. Also week numbers are adjustable so no need to wait if you have all information to proceed earlier.<\/p><p>It might take more or less time. It depends on your environment size and skills of project staff.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2f245b7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2f245b7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9437113\" data-id=\"9437113\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1f86eeb elementor-toc--minimized-on-tablet elementor-widget elementor-widget-table-of-contents\" data-id=\"1f86eeb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;,&quot;h5&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;marker_view&quot;:&quot;numbers&quot;,&quot;minimize_box&quot;:&quot;yes&quot;,&quot;minimized_on&quot;:&quot;tablet&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__header\">\n\t\t\t\t\t\t<h4 class=\"elementor-toc__header-title\">\n\t\t\t\tTable of Contents\t\t\t<\/h4>\n\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--expand\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__1f86eeb\" aria-expanded=\"true\" aria-label=\"Open table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-down\"><\/i><\/div>\n\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--collapse\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__1f86eeb\" aria-expanded=\"true\" aria-label=\"Close table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-up\"><\/i><\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<div id=\"elementor-toc__1f86eeb\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fadcae4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fadcae4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-48fc303\" data-id=\"48fc303\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eae23f8 elementor-widget elementor-widget-heading\" data-id=\"eae23f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Some very high level phases (select your own phases)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-054ddbe elementor-widget elementor-widget-text-editor\" data-id=\"054ddbe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<table><thead><tr><th>Phase<\/th><th>Key Activities<\/th><\/tr><\/thead><tbody><tr><td><p>1. Assessment &amp; Planning<\/p><\/td><td>Inventory, cost modeling, roadmap<\/td><\/tr><tr><td><p>2. Setup &amp; Configuration<\/p><\/td><td>Deploy workspace, roles, and core connectors<\/td><\/tr><tr><td><p>3. (Pilot) Deployment<\/p><\/td><td>The hard work \ud83d\ude42<\/td><\/tr><tr><td><p>4. Migration Execution<\/p><\/td><td>The hard work\u00a0 part 2 \ud83d\ude42<\/td><\/tr><tr><td><p>5.Optimization<\/p><\/td><td>Parallel run, tuning, SOC training<\/td><\/tr><tr><td><p>6. Decommission<\/p><\/td><td>Switch over and decommission legacy SIEM<\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0df6453 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0df6453\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e5ff35b\" data-id=\"e5ff35b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f8882e7 elementor-widget elementor-widget-text-editor\" data-id=\"f8882e7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 5 []\"><strong>1.<\/strong>Assessment &amp; Planning\u00a0<strong>(Preparation Phase) <\/strong>(Weeks 1-3)<\/h3><ul data-spread=\"false\"><li><p>Inventory your data sources look from your current setup of on-prem data sources and then add (or decrease) data sources to connect( or to remove) cloud siem\u00a0<\/p><\/li><li>Gap analysis between existing SIEM and Sentinel capabilities<\/li><li><p>Map retention requirements (e.g., PCI DSS, GDPR) aka how long the ingested data should be storaged.<\/p><\/li><li><p>Estimate costs: use Azure Pricing Calculator for data ingestion and storage. NOTE this is only estimation because for example for servers there are <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/data-ingestion-benefit\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">Sentinel ingestion discount if you use Defender for Servers P2<\/span><\/a>. To advance about this\u00a0 you need to bring them to Azure by using Azure Arc.<\/p><\/li><li><p>Plan architecture:<\/p><ul data-spread=\"false\"><li><p>Decide on number of Sentinel workspaces (single vs multi-tenant)<\/p><\/li><li><p>Plan RBAC roles and access controls for SOC teams<\/p><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cb9dbda elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cb9dbda\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-da9e8fa\" data-id=\"da9e8fa\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ddefbd9 elementor-widget elementor-widget-image\" data-id=\"ddefbd9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"217\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?fit=640%2C217&amp;ssl=1\" class=\"attachment-large size-large wp-image-2572\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?w=1102&amp;ssl=1 1102w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?resize=300%2C102&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?resize=1024%2C347&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?resize=768%2C260&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-timeline.png?resize=850%2C288&amp;ssl=1 850w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Timeline suggestion for the on-prem migration. SOURCE: jussimetso.com<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ea55151 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"ea55151\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-355b68f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"355b68f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e8f85a5\" data-id=\"e8f85a5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-468143f elementor-widget elementor-widget-text-editor\" data-id=\"468143f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 3 []\"><strong>2.<\/strong>Setup &amp; Configuration <strong>(Foundation Phase) <\/strong>(Weeks 4-6)<\/h3><ul data-spread=\"false\"><li>Establish connectivity from on-prem to Azure<\/li><li><p>Provision Azure environment and Microsoft Sentinel workspace(s)<\/p><\/li><li><p>Configure Azure Log Analytics workspaces<\/p><\/li><li><p>Deploy Sentinel on a Log Analytics workspace<\/p><\/li><li><p>Configure RBAC roles for Sentinel usage:<\/p><ul data-spread=\"false\"><li><p>Owner, Contributor&#8230;and SOC tier roles<\/p><\/li><\/ul><\/li><li><p>Connect Microsoft security tools:<\/p><ul data-spread=\"false\"><li><p>Entra ID, Microsoft 365, Defender XDR (Identity, Endpoints, Cloud Apps, Office365), Purview<\/p><\/li><\/ul><\/li><li><p>Enable diagnostic logging in Azure resources<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6363274 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"6363274\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-80752c3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"80752c3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ef65259\" data-id=\"ef65259\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9944720 elementor-widget elementor-widget-text-editor\" data-id=\"9944720\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 3 []\"><strong>3. (<\/strong>Pilot) Deployment (Weeks 7-9)<\/h3><ul data-spread=\"false\"><li><p>Connect critical data sources (e.g., firewalls, Active Directory) and all other data sources with Sentinel data connectors if available<\/p><\/li><li><p>Forward on-premises logs:<\/p><ul data-spread=\"false\"><li><p>Install Azure monitor agents for Windows\/Linux servers<\/p><\/li><li>Or onboard them with Azure Arc<\/li><li><p>Configure<span style=\"text-decoration: underline;\"> <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/connect-cef-syslog-ama?tabs=portal\" target=\"_blank\" rel=\"noopener\">Syslog\/CEF connectors<\/a><\/span> for firewalls and appliances<\/p><\/li><\/ul><\/li><li><p>Normalize custom data to Sentinel schemas with <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/normalization-about-parsers\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">ASIM parsers<\/span><\/a><\/p><\/li><li><p>Implement baseline for analytics rules and alerts<\/p><\/li><li><p>Validate data ingestion, parsing, and correlation<\/p><\/li><li><p>Conduct end-to-end testing<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5801f95 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"5801f95\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-623d1c5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"623d1c5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a7b4f8a\" data-id=\"a7b4f8a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b82b724 elementor-widget elementor-widget-text-editor\" data-id=\"b82b724\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 5 []\"><strong>4.\u00a0<\/strong>Migration Execution\u00a0(Weeks 10-13)<\/h3><ul data-spread=\"false\"><li><p>Review existing on-premises SIEM correlation rules<\/p><\/li><li><p>Map detections to Sentinel analytics rule templates<\/p><\/li><li><p>Rebuild custom detection logic using Kusto Query Language (KQL)<\/p><\/li><li><p>Validate mappings for:<\/p><ul data-spread=\"false\"><li><p>MITRE ATT&amp;CK techniques<\/p><\/li><li><p>Alert severity and SOC triage processes<\/p><\/li><\/ul><\/li><li><p>Gradually shift remaining data sources to Sentinel<\/p><\/li><li><p>Migrate existing rules, reports, and alerts<\/p><\/li><li><p>Implement automation via Playbooks and SOAR capabilities<\/p><\/li><li><p>Continuous monitoring and troubleshooting during migration<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0a614cd elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"0a614cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9db2f80 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9db2f80\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4d836b2\" data-id=\"4d836b2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ba4d846 elementor-widget elementor-widget-text-editor\" data-id=\"ba4d846\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 3 []\"><strong>5.\u00a0<\/strong>Optimization (Weeks 14-16)<\/h3><ul data-spread=\"false\"><li><p>Recreate existing automation workflows in Sentinel Playbooks (Logic Apps)<\/p><ul data-spread=\"false\"><li><p>Example: auto-ticket creation, notifying Teams\/Slack<\/p><\/li><\/ul><\/li><li><p>Test playbooks for accuracy and scope<\/p><\/li><li><p>Leverage built-in Sentinel automation rules for enrichment and response<\/p><\/li><li><p>Run Sentinel in <span style=\"text-decoration: underline;\">parallel <\/span>with on-prem SIEM<\/p><ul data-spread=\"false\"><li><p>Compare alert fidelity and dashboards<\/p><\/li><\/ul><\/li><li><p>Fine-tune analytics rules to <span style=\"text-decoration: underline;\">reduce false positives<\/span><\/p><\/li><li><p>Perform test attack scenarios (e.g., simulated phishing, lateral movement)<\/p><\/li><li><p>Tune analytics rules, playbooks, and alerts<\/p><\/li><li><p>Optimize cost and performance<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-df53945 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"df53945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b59c588 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b59c588\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-01c1ecb\" data-id=\"01c1ecb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0535be7 elementor-widget elementor-widget-text-editor\" data-id=\"0535be7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 data-pm-slice=\"1 3 []\"><strong>6. Decommission Legacy SIEM <\/strong>(Weeks 17+)<\/h3><ul data-spread=\"false\"><li><p>Finalize migration of all critical data sources<\/p><\/li><li><p>Export and archive historical logs for compliance (if required)<\/p><\/li><li><p>Fully transition SOC operations to Sentinel<\/p><\/li><li><p>Retire or repurpose on-premises SIEM infrastructure<\/p><\/li><li><p>Regular training and skill development for analysts<\/p><\/li><li><p>Continuous improvement based on feedback and monitoring<\/p><\/li><li><p>Schedule periodic assessments and tuning<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0eccf65 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"0eccf65\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5079221 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5079221\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7ba2a8c\" data-id=\"7ba2a8c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3af1c84 elementor-widget elementor-widget-text-editor\" data-id=\"3af1c84\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-pm-slice=\"1 3 []\"><strong>Export historic on-prem log data to Azure<\/strong><\/h2><ul data-spread=\"false\"><li><p>One of the important decisions you make during your migration process is where to store your historical data. To make this decision, you need to understand and be able to compare the various target platforms. Here are some<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/migration-ingestion-target-platform\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\"> help<\/span><\/a> to do it.<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-26161dc elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"26161dc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cbf3bd6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cbf3bd6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e7eec20\" data-id=\"e7eec20\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eab35cf elementor-widget elementor-widget-heading\" data-id=\"eab35cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Microsoft's guidance for the migration<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c911cf elementor-widget elementor-widget-text-editor\" data-id=\"4c911cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Microsoft have also guidance how to do the migration. You can check it on <span style=\"text-decoration: underline;\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/migration\" target=\"_blank\" rel=\"noopener\">MS Learn<\/a><\/span>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-13db121 elementor-widget elementor-widget-image\" data-id=\"13db121\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?ssl=1\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"sentinel-migration-phases\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjU3MSwidXJsIjoiaHR0cHM6XC9cL3d3dy5qdXNzaW1ldHNvLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAyNVwvMDdcL3NlbnRpbmVsLW1pZ3JhdGlvbi1waGFzZXMtc2NhbGVkLnBuZyJ9\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"345\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?fit=640%2C345&amp;ssl=1\" class=\"attachment-large size-large wp-image-2571\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?w=2560&amp;ssl=1 2560w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=300%2C162&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=1024%2C552&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=768%2C414&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=1536%2C828&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=2048%2C1104&amp;ssl=1 2048w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?resize=850%2C458&amp;ssl=1 850w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?w=1280&amp;ssl=1 1280w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/sentinel-migration-phases-scaled.png?w=1920&amp;ssl=1 1920w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Microsoft Sentinel migration phases. SOURCE: MS learn<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c798d19 elementor-widget elementor-widget-text-editor\" data-id=\"c798d19\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>There are ready made migration guidance in MS Learn if you are migrating from these services:<\/p><ul><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/migration-arcsight-detection-rules\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">Arclight<\/span><\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/migration-splunk-detection-rules\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">Splunk<\/span><\/a><\/li><li><span style=\"text-decoration: underline;\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/migration-qradar-detection-rules\" target=\"_blank\" rel=\"noopener\">Qradar<\/a><\/span><\/li><\/ul><p>Even if there are not other systems guidance available they all are following the same basic instructions.\u00a0<\/p><p>But I hope that the instructions for SentinelOne, ElasticSearch and LogPoint are coming soon.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5627b15 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"5627b15\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3b369ee2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3b369ee2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-65950b34\" data-id=\"65950b34\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-37bf9171 elementor-widget elementor-widget-author-box\" data-id=\"37bf9171\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"author-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-author-box\">\n\t\t\t\t\t\t\t<div  class=\"elementor-author-box__avatar\">\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2024\/07\/jussi_06_2024.jpg?fit=262%2C300&#038;ssl=1\" alt=\"Picture of Jussi Metso\" loading=\"lazy\">\n\t\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"elementor-author-box__text\">\n\t\t\t\t\t\t\t\t\t<div >\n\t\t\t\t\t\t<h6 class=\"elementor-author-box__name\">\n\t\t\t\t\t\t\tJussi Metso\t\t\t\t\t\t<\/h6>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-author-box__bio\">\n\t\t\t\t\t\t<p>Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. <\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>So you want to migrate your on-prem SIEM to Microsoft Sentinel? What kind of tasks&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2565,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[42,41,43],"class_list":["post-2521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sentinel","tag-sentinel","tag-siem","tag-soc"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/onpremsiemtocloudsiem-2.png?fit=768%2C512&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/pes24X-EF","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/comments?post=2521"}],"version-history":[{"count":18,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2521\/revisions"}],"predecessor-version":[{"id":2575,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2521\/revisions\/2575"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/media\/2565"}],"wp:attachment":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/media?parent=2521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/categories?post=2521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/tags?post=2521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}