QRadar → Sentinel Migration: Current State

Overview

This document captures the current state of the QRadar → Microsoft Sentinel migration effort as of April 9, 2026. Work is being conducted by Evan Rosado (ISE Engineer III) under the direction of Sarah Clizer (Deputy CISO). Monad has been selected as the pipeline orchestration layer but is currently in the planning phase. No pipelines are active yet.

Data Collection

AQL Exports

Initial data collection was performed via QRadar’s Ariel Query Language (AQL) using the QRadar console and subsequently via the REST API. The following query was used to extract log source inventory with event metrics:

SELECT
  LOGSOURCENAME(logsourceid)     AS LogSource,
  LOGSOURCETYPENAME(devicetype)  AS LogSourceType,
  QIDNAME(qid)                   AS EventName,
  CATEGORYNAME(category)         AS Category,
  severity,
  credibility,
  relevance,
  magnitude,
  COUNT(*)                       AS EventCount
FROM events
GROUP BY logsourceid, devicetype, qid, category, severity, credibility, relevance, magnitude
ORDER BY LogSource, EventCount DESC

Data Scope and Limitations

Item Detail

Data window

April 5-8, 2026 (3 days)

Ariel retention

Approximately 3 days available at time of export. Ticket required to extend.

Raw grouped records

1,176,902

Total events (3-day)

2,239,727

Projected monthly events

Approximately 22.4 million (extrapolated from 3-day window)

Projected monthly ingest

Approximately 11.2 GB (estimated at 500 bytes/event)

Financial projections

Not included. Pending confirmation of Sentinel workspace tier and Monad contract pricing.
The 500 bytes/event figure is an assumption. Replace with actual QRadar storage statistics for accurate cost modeling.

QRadar API Access

Elevated API access was granted via an Authorized Service token. API calls are authenticated using the SEC header per QRadar REST API standards. Secrets are managed via the dsec helper sourcing from the d001 domain registry.

The API workflow for AQL searches follows three steps:

  1. Submit query via POST /api/ariel/searches?query_expression=…​

  2. Poll status via GET /api/ariel/searches/{search_id}

  3. Fetch results via GET /api/ariel/searches/{search_id}/results

Results are returned as JSON, which is preferable to CSV for pipeline integration and type preservation.

Migration Analysis Report

Report Generation

A Python-based migration analysis report was developed using pandas, matplotlib, and openpyxl. The report is generated via uv run with no permanent dependency installation required. Output is an Excel workbook (migration_report_v5.xlsx) containing 12 sheets and 12 embedded charts.

Report Sheets

Sheet Description

Glossary

Definitions for every column and sheet. Scoring methodology and data caveats documented.

ExecutiveSummary

Leadership-facing overview. No cost figures. Projections and key inventory counts only.

SourceSummary

Full log source table with readiness scores, weighted risk, and migration priority.

UniqueLogSources

Complete log source inventory with type, event volume, and average health metrics.

MigrationPlan

Phase-sorted migration plan with fillable SentinelConnector and Notes columns.

CategoryBreakdown

QRadar event categories ranked by total event volume with percentage share.

SeverityDistribution

Events bucketed into Low/Medium/High severity bands.

MagnitudeDistribution

Events bucketed by QRadar magnitude score.

RiskScores

Sources ranked by weighted risk (magnitude x volume).

LogSourceTypes

Event volume by log source type for Sentinel connector mapping.

PhaseSummary

Rollup of sources, events, and average readiness per migration phase.

RawData

Full AQL export: every unique combination of source, event type, and metrics.

Charts

12 embedded charts covering volume, priority, severity, risk, readiness, and cost.

Scoring Methodology

ReadinessScore (0-100)

Composite score per log source combining three normalized components:

  • Volume score (30%) - lower projected monthly volume = higher score

  • Diversity score (30%) - fewer unique event types = higher score

  • Risk score (40%) - lower weighted risk = higher score

Formula:

readiness = (vol_score * 0.3 + div_score * 0.3 + risk_score * 0.4) * 100

WeightedRisk

Magnitude weighted by event volume per source:

weighted_risk = sum(magnitude * event_count) / total_events

MigrationPriority

Based on projected 30-day event volume:

Priority Threshold

High

>= 500,000 events/month

Medium

10,000 - 499,999 events/month

Low

< 10,000 events/month

MigrationPhase

Phase Criteria

Phase 1

High priority and ReadinessScore >= 50

Phase 2

High priority with ReadinessScore < 50, or Medium priority

Phase 3

Low priority

ISE / MSCHAPv2 Migration (Parallel Workstream)

ISE DataConnect was queried via netapi ise dc query against the MNT node on port 2484. The following views were identified as relevant to the MSCHAPv2 → EAP-TLS/TEAP migration:

View Relevance

RADIUS_AUTHENTICATIONS_WEEK

Auth method breakdown. Identifies endpoints still on MSCHAPv2 vs EAP-TLS/TEAP.

MISCONFIGURED_SUPPLICANTS_VIEW

70,294 records. Endpoints with supplicant misconfigurations directly relevant to migration.

ENDPOINTS_DATA

Full endpoint inventory for coverage mapping.

RADIUS_ERRORS_VIEW

Failed auth analysis per protocol.
TIMESTAMP(6) WITH TIME ZONE columns cause DPY-3022 errors in oracledb thin mode. Avoid selecting timestamp columns directly. Use TIMESTAMP (plain) or cast as needed.

Key field for MSCHAPv2 identification: AUTHENTICATION_PROTOCOL in RADIUS_AUTHENTICATIONS_WEEK. Wireless sessions are filtered via NAS_PORT_TYPE = 'Wireless - IEEE 802.11'.

Open Items

Item Detail Owner

QRadar Ariel retention

Current approximately 3 days. Ticket needed to extend for a 30-day baseline.

Evan Rosado

Financial projections

Pending Sentinel workspace tier confirmation from Azure Portal and Monad contract pricing.

Sarah Clizer / Victor Negri

QRadar offense/asset data

API token granted. Offense and asset endpoints to be mapped next.

Evan Rosado

Sentinel connector mapping

LogSourceType column in MigrationPlan sheet needs manual mapping to Sentinel connectors.

Evan Rosado

MSCHAPv2 pandas report

ISE DataConnect exports in progress. Report build pending CSV collection.

Evan Rosado

Monad pipeline manifest

Pending Monad contract and pricing confirmation before pipeline definitions are built.

Sarah Clizer / Evan Rosado

Next Steps

  1. Automate QRadar API pull via shell script - submit, poll, fetch in one command

  2. Map LogSourceType values to Sentinel data connectors

  3. Pull offense and asset data via QRadar REST API

  4. Complete ISE DataConnect exports for MSCHAPv2 report

  5. Build MSCHAPv2 pandas report using the same pattern as the migration report

  6. Open ticket to extend QRadar Ariel retention beyond 3 days

  7. Confirm Sentinel workspace tier and Monad pricing before adding cost projections

Tools and Dependencies

Tool Purpose

uv

Ephemeral Python environment. No system installs required.

pandas

Data aggregation and analysis.

matplotlib

Chart generation (Agg backend, no display required).

openpyxl

Excel workbook generation with embedded charts.

netapi

Rust-based ISE CLI for DataConnect queries.

dsec

Secret management helper that sources domain registry values into the shell environment.

curl + jq

QRadar REST API interaction and JSON processing.

AQL

QRadar Ariel Query Language for event data extraction.

Related