Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechExcel Sentinel onboarding

Task 2.1: Verify the Splunk data migration into Sentinel

You’ll explore the migrated Splunk data using the Sentinel analytics rule wizard to verify the converted rules in your environment.

  1. On the Microsoft Sentinel menu, under Configuration, select Analytics.

    configuration_menu_analytics.png

    You may encounter an error message indicating that one or more Codeless Connectors are not valid. The Amazon Web Services connector is not properly defined. This error can be ignored for this lab.

    error_codeless_connector.png

  2. On the Active rules tab, note that the imported Splunk rules are shown in the list with the prefix [Splunk Migrated].

    splunk_migrated_prefix.png

  3. Select the Name column heading to sort the Active rules list by name.

  4. Select the third rule, [Splunk Migrated] CIM - Top Data Model Accelerations, to display the details in the right panel.

    If the right panel is not displayed select the « icon on the right side to display it.

  5. On the right panel select Edit to modify the selected analytics rule.

  6. Select Next : Set rule logic to display the rule query and parameter details.

  7. In the Rule query section select the View query results > link to display the Logs query dialog panel.

    select_view_query_results.png

    Notice that this query isn’t a proper KQL query which is indicated by the error that’s displayed in the Results section.

  8. Select the X icon at the top right (not the browser “X”) to close the Logs query dialog panel and then select OK to discard any edits.

    invalid_query_x_close.png

  9. Select the X icon at the top right (not the browser “X”) to close the Analytics rule wizard dialog.

  10. Select the [Splunk Migrated] AWS CreateAccessKey entry in the list to display the details in the right panel.

    If the right panel is not displayed select the « icon on the right side to display it.

  11. Select Edit to display the Analytics rule wizard dialog and then select Next : Set rule logic >.

  12. Select the View query results > link to display the Logs query dialog panel.

    Since there are no errors associated with this we can expect the query to complete successfully.

  13. Select the Run button to execute the Analytics rule query.

    This query completes correctly but returns no results at this time. The KQL query is properly formatted and no issues in the schema are surfaced.