Published: Sep 16, 2024
Key Takeaways:
Microsoft has announced some important updates coming to the SIEM Migration experience. These new capabilities are designed to more context-aware translations to streamline the process of moving from Splunk to Microsoft Sentinel.
The Schema mappings feature is designed to help customers migrate from Splunk to Microsoft Sentinel. It allows administrators to define how each type of data from Splunk will correspond to the tables in Microsoft Sentinel. This feature automatically maps known sources like Splunk CIM schemas & data models to ASIM Schemas.
“The other custom sources queried in the detections are listed without being mapped and these will require manual mapping with existing Microsoft Sentinel/Azure Log Analytics tables. All mappings can then be reviewed, modified or new sources added. Mapping schemas is hierarchical, i.e., the Splunk sources map 1-1 with Sentinel tables in addition to the fields within these sources,” Microsoft explained.
Microsoft has added translation support for Splunk Lookups to enhance the SIEM migration experience for customers. Splunk Lookups are tables with field value pairs that can be used to enrich event data. The translation process involves converting Splunk Lookups used in SPL (Search Processing Language) queries into Sentinel Watchlists used in KQL (Kusto Query Language) queries.
Currently, the translation support is limited to the “lookup” and “inputlookup” keywords. However, this feature doesn’t work with the “outputloopup” operation, and IT admins will need to configure an Automation Rule in Microsoft Sentinel to handle this task.
Lastly, Microsoft has also added translation support for Splunk Macros. These are small scripts that help automate repetitive tasks to make development faster. However, they can pose challenges when migrating to a new technology platform. The translation feature is designed to ensure that all SPL (Search Processing Language) detection queries automatically replace macro references with their definitions.