SIEM Migration: QRadar → Sentinel

Project Summary

Migration from IBM QRadar to Microsoft Sentinel with cost optimization through ETL pipeline filtering. Sentinel charges per GB ingested — the Monad ETL platform filters, transforms, and routes logs before ingestion to reduce volume while maintaining compliance.

Driver: Cost control — filter before ingest, not after.

Strategy: ETL pipeline between log sources and SIEM to reduce volume (target: 50-70% reduction).

Decision: Monad (vendor) selected 2026-03-09 by CISO. In-house alternative evaluated but rejected — enterprise accountability and support outweigh DIY control.

Status

Component	Description	Status	Notes
Monad Evaluation	ETL pipeline tool assessment — API, trial, connector mapping	✅ Done	Trial 2026-03-10/11. 7 connectors verified.
In-House Alternative	Build with rsyslog/Vector/DCR (no vendor)	✅ Done	Not selected — vendor accountability preferred
SDK Integration	Custom ISE/FTD transforms, pipeline-as-code, CI/CD	🟡 In progress	Architecture + jq patterns done. Deployment pending.
Log Source Inventory	Catalog all sources, volumes, protocols	❌ Not started	ISE, FTD, switches, WLC
Filtering Strategy	Critical vs bulk classification rules	❌ Not started	Depends on log source inventory
Cost Analysis	Current QRadar vs projected Sentinel costs	❌ Not started	Monad licensing cost TBD
Implementation Plan	Phased rollout: PoC → Pilot → Production → Decommission	❌ Not started	—
QRadar Decommission	Sunset QRadar after Sentinel validated	❌ Not started	—

Component

Description

Status

Notes

Monad Evaluation

ETL pipeline tool assessment — API, trial, connector mapping

✅ Done

Trial 2026-03-10/11. 7 connectors verified.

In-House Alternative

Build with rsyslog/Vector/DCR (no vendor)

✅ Done

Not selected — vendor accountability preferred

SDK Integration

Custom ISE/FTD transforms, pipeline-as-code, CI/CD

🟡 In progress

Architecture + jq patterns done. Deployment pending.

Log Source Inventory

Catalog all sources, volumes, protocols

❌ Not started

ISE, FTD, switches, WLC

Filtering Strategy

Critical vs bulk classification rules

❌ Not started

Depends on log source inventory

Cost Analysis

Current QRadar vs projected Sentinel costs

❌ Not started

Monad licensing cost TBD

Implementation Plan

Phased rollout: PoC → Pilot → Production → Decommission

❌ Not started

—

QRadar Decommission

Sunset QRadar after Sentinel validated

❌ Not started

—

Decision

Selected

Monad (Vendor)

Decided by

CISO

Date

2026-03-09

Rationale

Liability, vendor accountability, support

In-house alternative evaluated but rejected. Enterprise accountability and support outweigh DIY control benefits.

Architecture

Scope

Log sources under evaluation:

ISE RADIUS — pPAN/sPAN, pMNT/sMNT, 4 PSNs
ISE TACACS — 2 standalone servers
Firewall — FTD sensors, FMC
Network Devices — switches, routers, WLC

Open Questions

ISE Log Splitting — Can ISE MnT send different categories to different syslog targets?
FMC eStreamer — Does Monad have native eStreamer connector or syslog only? → Resolved: Syslog only
Deployment Model — SaaS vs on-prem for healthcare environment?
Compliance — SOC 2, HIPAA certifications for Monad?
Sentinel Connector — Native integration or HTTP output? → Resolved: Native msft-sentinel connector

Notes

Personal project workspace. Conceptual designs only — no sensitive infrastructure data.

Field	Value
PRJ ID	PRJ-2026-03-qradar-sentinel
Author	Evan Rosado
Created	2026-03-09
Updated	2026-04-06
Status	Active — SDK integration phase
Category	SIEM Migration
Priority	P0 (critical security infrastructure)
Decision Date	2026-03-09 (CISO selected Monad vendor)
Stakeholders	CISO, InfoSec team, SOC

Field

Value

PRJ ID

PRJ-2026-03-qradar-sentinel

Author

Evan Rosado

Created

2026-03-09

Updated

2026-04-06

Status

Active — SDK integration phase