shanhix1 · May 29, 2022
diff --git a/‎articles/sentinel/media/migration-arcsight-automation/arcsight-sentinel-soar-workflow.png
55.3 KB b/‎articles/sentinel/media/migration-arcsight-automation/arcsight-sentinel-soar-workflow.png
55.3 KB
diff --git a/‎articles/sentinel/media/migration-arcsight-detection-rules/rule-4-sample.png
-4.81 KB b/‎articles/sentinel/media/migration-arcsight-detection-rules/rule-4-sample.png
-4.81 KB
diff --git a/‎articles/sentinel/media/migration-arcsight-detection-rules/rule-7-sample.png
-243 Bytes b/‎articles/sentinel/media/migration-arcsight-detection-rules/rule-7-sample.png
-243 Bytes
diff --git a/‎articles/sentinel/migration-arcsight-automation.md
Lines changed: 18 additions & 11 deletions b/‎articles/sentinel/migration-arcsight-automation.md
Lines changed: 18 additions & 11 deletions
diff --git a/‎articles/sentinel/migration-arcsight-detection-rules.md
Lines changed: 11 additions & 4 deletions b/‎articles/sentinel/migration-arcsight-detection-rules.md
Lines changed: 11 additions & 4 deletions
diff --git a/‎articles/sentinel/migration-arcsight-historical-data.md
Lines changed: 7 additions & 8 deletions b/‎articles/sentinel/migration-arcsight-historical-data.md
Lines changed: 7 additions & 8 deletions
diff --git a/‎articles/sentinel/migration-track.md
Lines changed: 3 additions & 8 deletions b/‎articles/sentinel/migration-track.md
Lines changed: 3 additions & 8 deletions
@@ -9,12 +9,12 @@ ms.date: 05/03/2022
 
 # Migrate ArcSight SOAR automation to Microsoft Sentinel
 
-Microsoft Sentinel provides Security Orchestration, Automation, and Response (SOAR) capabilities with [automation rules](automate-incident-handling-with-automation-rules.md) to automate incident handling and response, and [playbooks](tutorial-respond-threats-playbook.md) to run predetermined sequences of actions to response and remediate threats. This article discusses how to identify SOAR use cases, and how to migrate your ArcSight SOAR automation to Microsoft Sentinel.
+Microsoft Sentinel provides Security Orchestration, Automation, and Response (SOAR) capabilities with [automation rules](automate-incident-handling-with-automation-rules.md) to automate incident handling and response, and [playbooks](tutorial-respond-threats-playbook.md) to run predetermined sequences of actions to respond to and remediate threats. This article discusses how to identify SOAR use cases, and how to migrate your ArcSight SOAR automation to Microsoft Sentinel.
 
 Automation rules simplify complex workflows for your incident orchestration processes, and allow you to centrally manage your incident handling automation. 
 
 With automation rules, you can: 
-- Perform simple automation tasks without necessarily using playbooks. For example, you can assign, tag, incidents, change status, and close incidents. 
+- Perform simple automation tasks without necessarily using playbooks. For example, you can assign, tag incidents, change status, and close incidents. 
 - Automate responses for multiple analytics rules at once. 
 - Control the order of actions that are executed. 
 - Run playbooks for those cases where more complex automation tasks are necessary. 
@@ -37,10 +37,10 @@ This section shows how key SOAR concepts in ArcSight translate to Microsoft Sent
 |Step (in diagram) |ArcSight  |Microsoft Sentinel |
 |---------|---------|---------|
 |1 |Ingest events into Enterprise Security Manager (ESM) and trigger correlation events.     |Ingest events into the Log Analytics workspace.     |
-|2 |Automatically filter alerts for case creation.     |Use [analytics rules](detect-threats-built-in#use-built-in-analytics-rules.md) to trigger alerts. Enrich alerts using the [custom details feature](surface-custom-details-in-alerts.md) to create dynamic incident names.   |
-|3 |Classify cases |Use [automation rules](automate-incident-handling-with-automation-rules.md). With automation rules, Microsoft Sentinel treats incidents according to the analytics rule that triggered the incident, and the incident properties that match defined criteria. |
-|4 |Consolidate cases |You can consolidate several alerts to a single incident according to properties such as matching entities, alert details, or creation timeframe, using the alert grouping feature. |
-|5 |Dispatch cases |Assign incidents to specific analysts using [an integration](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/automate-incident-assignment-with-shifts-for-teams/ba-p/2297549) between Microsoft Teams, Azure Logic Apps, and Microsoft Sentinel automation rules. |
+|2 |Automatically filter alerts for case creation.     |Use [analytics rules](detect-threats-built-in.md#use-built-in-analytics-rules) to trigger alerts. Enrich alerts using the [custom details feature](surface-custom-details-in-alerts.md) to create dynamic incident names.   |
+|3 |Classify cases. |Use [automation rules](automate-incident-handling-with-automation-rules.md). With automation rules, Microsoft Sentinel treats incidents according to the analytics rule that triggered the incident, and the incident properties that match defined criteria. |
+|4 |Consolidate cases. |You can consolidate several alerts to a single incident according to properties such as matching entities, alert details, or creation timeframe, using the alert grouping feature. |
+|5 |Dispatch cases. |Assign incidents to specific analysts using [an integration](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/automate-incident-assignment-with-shifts-for-teams/ba-p/2297549) between Microsoft Teams, Azure Logic Apps, and Microsoft Sentinel automation rules. |
 
 ## Map SOAR components 
 
@@ -62,10 +62,10 @@ While most of the playbooks that you use with Microsoft Sentinel are available i
 You typically build your custom logic app using the Azure Logic App Designer feature. The logic apps code is based on [Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/overview.md), which facilitate development, deployment and portability of Azure Logic Apps across multiple environments. To convert your custom playbook into a portable ARM template, you can use the [ARM template generator](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/export-microsoft-sentinel-playbooks-or-azure-logic-apps-with/ba-p/3275898).
 
 Use these resources for cases where you need to build your own playbooks either from scratch or from existing templates.
-- [Automate incident handling in Azure Sentinel](automate-incident-handling-with-automation-rules.md)
-- [Automate threat response with playbooks in Azure Sentinel](automate-responses-with-playbooks.md)
-- [Tutorial: Use playbooks with automation rules in Azure Sentinel](tutorial-respond-threats-playbook.md)
-- [How to use Azure Sentinel for Incident Response, Orchestration and Automation](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-for-incident-response-orchestration/ba-p/2242397)
+- [Automate incident handling in Microsoft Sentinel](automate-incident-handling-with-automation-rules.md)
+- [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md)
+- [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)
+- [How to use Microsoft Sentinel for Incident Response, Orchestration and Automation](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-for-incident-response-orchestration/ba-p/2242397)
 - [Adaptive Cards to enhance incident response in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-microsoft-teams-adaptive-cards-to-enhance-incident/ba-p/3330941)
 
 ## SOAR post migration best practices
@@ -75,4 +75,11 @@ Here are best practices you should take into account after your SOAR migration:
 - After you migrate your playbooks, test the playbooks extensively to ensure that the migrated actions work as expected.
 - Periodically review your automations to explore ways to further simplify or enhance your SOAR. Microsoft Sentinel constantly adds new connectors and actions that can help you to further simplify or increase the effectiveness of your current response implementations.
 - Monitor the performance of your playbooks using the [Playbooks health monitoring workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-monitoring-your-logic-apps-playbooks-in-azure/ba-p/1873211).
-- Use managed identities and service principals to authenticate against various Azure services within your Logic Apps, store the secrets in Azure Key Vault, and obscure the flow execution output. we also recommend that you  [monitor the activities of these service principals](https://techcommunity.microsoft.com/t5/azure-sentinel/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932).
+- Use managed identities and service principals to authenticate against various Azure services within your Logic Apps, store the secrets in Azure Key Vault, and obscure the flow execution output. we also recommend that you  [monitor the activities of these service principals](https://techcommunity.microsoft.com/t5/azure-sentinel/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932).
+
+## Next steps
+
+In this article, you learned how to map your SOAR automation from ArcSight to Microsoft Sentinel. 
+
+> [!div class="nextstepaction"]
+> [Export your historical data](migration-arcsight-historical-data.md)
@@ -225,7 +225,7 @@ Order the filters by starting with the `where` statement that filters out the mo
 
 Here is a sample ArcSight rule that defines a condition against a set of base events, using the `Matching Event` statement.
 
-:::image type="content" source="media/migration-arcsight-detection-rules/rule-5-sample.png" alt-text="Diagram illustrating a sample correlation rule (matching)." lightbox="media/migration-arcsight-detection-rules/rule-5-sample.png":::
+:::image type="content" source="media/migration-arcsight-detection-rules/rule-5-sample.png" alt-text="Diagram illustrating a sample correlation rule (matching).":::
 
 ### Correlation (matching) example: KQL
 
@@ -250,7 +250,7 @@ Best practices:
 
 Here is a sample ArcSight rule that defines a condition against a set of base events, using the `Matching Event` statement, and uses the `Wait time` filter condition.
 
-:::image type="content" source="media/migration-arcsight-detection-rules/rule-6-sample.png" alt-text="Diagram illustrating a sample correlation rule (time window)." lightbox="media/migration-arcsight-detection-rules/rule-6-sample.png":::
+:::image type="content" source="media/migration-arcsight-detection-rules/rule-6-sample.png" alt-text="Diagram illustrating a sample correlation rule (time window).":::
 
 ### Correlation (time window) example: KQL
 
@@ -292,7 +292,7 @@ event2_UPN=UserPrincipalName,
 
 Here is a sample ArcSight rule with aggregation settings: three matches within ten minutes.
 
-:::image type="content" source="media/migration-arcsight-detection-rules/rule-7-sample.png" alt-text="Diagram illustrating a sample aggregation rule." lightbox="media/migration-arcsight-detection-rules/rule-7-sample.png":::
+:::image type="content" source="media/migration-arcsight-detection-rules/rule-7-sample.png" alt-text="Diagram illustrating a sample aggregation rule.":::
 
 ### Aggregation example example: KQL
 
@@ -301,4 +301,11 @@ SecurityEvent
 | summarize Count = count() by SubjectUserName, 
 SubjectDomainName
 | where Count >3
-```
+```
+
+## Next steps
+
+In this article, you learned how to map your migration rules from ArcSight to Microsoft Sentinel. 
+
+> [!div class="nextstepaction"]
+> [Migrate your SOAR automation](migration-arcsight-automation.md)
@@ -5,33 +5,32 @@ author: limwainstein
 ms.author: lwainstein
 ms.topic: how-to
 ms.date: 05/03/2022
-ms.custom: ignite-fall-2021
 ---
 
 # Export historical data from ArcSight
 
 This article describes how to export your historical data from ArcSight. After you complete the steps in this article, you can [select a target platform](migration-ingestion-target-platform.md) to host the exported data, and then [select an ingestion tool](migration-ingestion-tool.md) to migrate the data.
 
-:::image type="content" source="media/migration-export-ingest/export-data.png" alt-text="Diagram illustrating steps involved in export and ingestion." lightbox="media/migration-export-ingest/export-data.png":::
+:::image type="content" source="media/migration-export-ingest/export-data.png" alt-text="Diagram illustrating steps involved in export and ingestion.":::
 
 You can export data from ArcSight in several ways. Your selection of an export method depends on the data volumes and the deployed ArcSight environment. You can export the logs to a local folder on the ArcSight server or to another server accessible by ArcSight. 
 
 To export the data, use one of the following methods:
-- [ArcSight Event Data Transfer Tool](#arcsight-event-data-transfer-tool-arcsight-esm-version-7x): Use this option for large volumes of data, namely terabytes (TB).
+- [ArcSight Event Data Transfer Tool](#arcsight-event-data-transfer-tool): Use this option for large volumes of data, namely terabytes (TB).
 - [lacat tool](#lacat-utility): Use for volumes of data smaller than a TB.
 
-## ArcSight Event Data Transfer tool (ArcSight ESM version 7.x)
+## ArcSight Event Data Transfer tool
 
-Use the Event Data Transfer tool to export data from ArcSight Enterprise Security Manager (ESM). To export data from ArcSight Logger, use the [lacat utility](#lacat-utility). 
+Use the Event Data Transfer tool to export data from ArcSight Enterprise Security Manager (ESM) version 7.x. To export data from ArcSight Logger, use the [lacat utility](#lacat-utility). 
 
-The tool you retrieves event data from ESM, which allows you to combine analysis with unstructured data, in addition to the CEF data. The Event Data Transfer tool exports ESM events in three formats: CEF, CV, and key-value pairs. 
+The Event Data Transfer tool retrieves event data from ESM, which allows you to combine analysis with unstructured data, in addition to the CEF data. The Event Data Transfer tool exports ESM events in three formats: CEF, CSV, and key-value pairs. 
 
 To export data using the Event Data Transfer tool:
 
 1. [Install and configure the Event Transfer Tool](https://www.microfocus.com/documentation/arcsight/arcsight-esm-7.6/ESM_AdminGuide/#ESM_AdminGuide/EventDataTransfer/EventDataTransfer.htm).  
 1. Configure the logs export to use a CSV format. For example, this command exports data recorded between 15:45 and 16:45 on May 4, 2016 to a CSV file:
 
-    ```bash
+    ```
         arcsight event_transfer -dtype File -dpath <***path***> -format csv -start "05/04/2016 15:45:00" -end "05/04/2016 16:45:00" 
     ```
 ## lacat utility 
@@ -41,7 +40,7 @@ Use the lacat utility to export data from ArcSight Logger. This is a simple util
 To export data with the lacat utility:
 
 1. [Download the lacat utility](https://github.com/hpsec/lacat).
-1. Follow the examples in the [lacat repository](https://github.com/hpsec/lacat) on how to run the script.
+1. Follow the examples in the lacat repository on how to run the script.
 
 ## Next steps
 
 
@@ -189,11 +189,6 @@ To assist with the deployment and migration process, the workbook includes tips
 
 In this article, you learned how to track your migration with the **Microsoft Sentinel Deployment and Migration** workbook. 
 
-> [!div class="nextstepaction"]
-> [Migrate ArcSight detection rules](migration-arcsight-detection-rules.md)
-
-> [!div class="nextstepaction"]
-> [Migrate Splunk detection rules](migration-splunk-detection-rules.md)
-
-> [!div class="nextstepaction"]
-> [Migrate QRadar detection rules](migration-qradar-detection-rules.md)
+- [Migrate ArcSight detection rules](migration-arcsight-detection-rules.md) 
+- [Migrate Splunk detection rules](migration-splunk-detection-rules.md)
+- [Migrate QRadar detection rules](migration-qradar-detection-rules.md)