This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

SPLUNK SIEM TO CHRONICLE MIGRATION

Posted on 05-09-2023 12:53 AM
deepaks2004
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi All

I have been working to create an approach for customers migration from existing SPLUNK SIEM (on prem) to Google Chronicle. Other use case for SPLUNK PHANTOM to CHRONICLE SOAR migration

In both cases difficult map the migration approach and surprisingly no detailed documentation on google docs. Trying to map Splunk log format (CIM) but need parsers as not supported.

use cases, alerts migrations, war rooms, dashboards etc. I am not going with the SIEM Augmentation approach. Can anyone help with best approach and practices to migrate. Another point is how to migrate the archives logs or present logs (in TBs) from Splunk to Google Chronicle. Pls suggest.

0 1 1,407
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
JF_GCP
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I really didn't find much documentation on migrating from Splunk to Chronicle SIEM, but the basic architecture would be to configure Splunk to forward the logs to outputs.conf, pointing to the Chonicle Forwarder. Splunk must have the CIM Add-on installed. An ingestion label identifies the parser that normalizes the raw log data to structured UDM format.

Data Source -> Splunk -> Chronicle Forwarder -> Chronicle.

[]'s

0 Likes
Top Solution Authors
View all