4 Tips for Migrating to Microsoft Azure Security Stack

4 Tips for Migrating to Microsoft Azure Security Stack

By Ben Chant

July 11, 2021

As migration to the cloud is increasing, so is the number and complexity of threats targeting the cloud. Security operations are evolving and need to accommodate these new threats alongside existing on-prem attacks.

Cloud-native security analytics solutions such as Microsoft Azure Sentinel allow you to keep up with the ongoing and rapid pace of change – by facilitating faster collection and data querying, supporting third-party integration, and ultimately leading to quicker Threat Detection and Response (TDR). But the migration itself from legacy SIEMs can be complex and costly if not managed properly, and there are key aspects of Azure-based security monitoring deployments that require specific knowledge of Azure technology and cloud security processes.


CyberProof’s newest eBook, “Migrating to Cloud-Native Threat Detection & Response – A Guide for Microsoft Azure Users,” provides in-depth guidance on how to optimize your migration to a cloud-native detection and response strategy with technologies such as Azure Sentinel, Log Analytics, Azure Data Explorer, Defender and more. Some of the many topics covered in the eBook include:

  1. Define and maintain use cases: The careful definition of use cases (sometimes referred to as attack scenarios) is a key aspect of maintaining threat visibility both during and after the migration period. Developing use cases is a way of defining not only which types of threats to monitor but how to respond. This will enable you to package the right content for each attack scenario such as Alert Rules, Hunting Queries, Logic Apps playbooks, Data Connectors, Workbooks etc. Use cases will also help you evaluate which log sources from your legacy SIEM should be transitioned over to Azure Sentinel.
  2. Adopt a single pane of glass:  Throughout the migration process, it is best to have your legacy SIEM running in parallel to a staged version of Azure Sentinel. This way, you can dual-feed use case content from your legacy SIEM, including detection rules and security events, into the staged environment. You can test and tune this data without impacting the production environment. Using a multi-SIEM enabled centralized Security Operations Center (SOC) platform like the CyberProof Defense Center (CDC) provides a phased transition without losing functionality, because no changes will be made to log sources in the initial stages - and rules and alerts can be tested early before you migrate fully to Azure Sentinel.CP_C04-Blog64-4TipsforMigratingtoMicrosoftAzureSecurityStack-202106
  3. Optimize log ingestion and retention: Your log collection layer should extend to all the organization’s log sources – including on-prem, cloud-hosted, and SaaS applications. Although there are numerous out-of-the-box data connectors supporting native and external sources that can stream data into the Azure Sentinel, be sure to address those sources that aren’t supported natively by creating custom connectors. To do this, you’ll need a continuous data parsing, filtering, and tagging process capability. Tools such as PowerShell, Kubernetes, and LogStash can help with this. But particularly for large organizations, this kind of data processing and storage can be very expensive. That’s where the CyberProof Log Collection (CLC) tool together with Azure Data Explorer (ADX) are key, helping to reduce costs by over 40% by filtering and routing less relevant data into a cost-effective, cloud-native storage solution. 

    Ad 3
  4. Apply custom analytics, reporting, and queries – Azure Sentinel’s analysis and querying capabilities support the optimization of alert triage and response. In a single query, you can search for Indicators of Compromise (IOCs) in the form of either malicious IP addresses, domains, URLs, or hashes. Make sure the external lookup table component of the Analytic Rule is dynamically updated with relevant threat feeds from open and closed sources so it’s able to compare wider and more accurate threat data against the logs going into Log Analytics. 

Cloud-BASED vs. Cloud-NATIVE – Therein Lies the Difference

There is an important distinction to be made between cloud-BASED and cloud-NATIVE security analytics: 

  • Cloud-BASED solutions are built for on-premises architecture – but stored in a cloud-hosted environment. The SIEM does the analytics in the cloud but needs additional compute/storage resources for enabling new functionalities. While it integrates cloud/on-premises systems, it still may require human interaction. 
  • Cloud-NATIVE solutions, in contrast, are built for cloud-native architectures from the ground up. Analytics sit on top of the cloud data lake, enabling flexibility in scaling analysis, storage, and processing for big data – and elastic storage allows storage and service processes to be scaled up and down on demand. 

Bottom line: While solutions that are cloud-based still require you to size up your infrastructure when scaling up or down, thereby increasing costs and slowing threat detection – solutions that are cloud-native can support scalable, agile, more cost-effective threat monitoring, detection, and response.

Optimize Your Transition to Azure-Native Detection & Response

The pace of digital transformation has accelerated. In response, security operations teams are adjusting their processes, transitioning to Software-as-a-Service (SaaS) security analytics platforms that streamline costs while increasing speed. 

Migrating to Azure-native detection and response can be unnecessarily costly if the shift is not optimized. Ensuring the use of “Best Practices” facilitates better threat detection and faster response both during the migration process itself and beyond. 


To optimize the migration process and focus on what really matters to your business, it is important to bring in practitioners who have experience applying their skills in real and complex environments. By partnering with an MDR provider like CyberProof, you gain the benefit of working with a team that has extensive experience with Azure security migration, thereby ensuring a successful cloud migration that minimizes costs and mitigates the risks.


To learn more about “Best Practices” in migrating from on-prem to cloud-based Threat Detection and Response, download the eBook here.

Ben Chant
Written by Ben Chant
Ben Chant is a Security Evangelist and Product Strategy professional, with specialist experience in delivering disruptive cyber security solutions to market and communicating the value they bring to businesses. Before joining CyberProof, Ben has worked with market-leading security organisations including PwC, NTT and BAE Systems. Ben is an applied practitioner, holding certifications in Cyber Security and Business.