What Changed
A new QRadar Migration Data Collector has been added to the Microsoft Sentinel toolkit, providing automated extraction of custom detection rules and building blocks from IBM QRadar SIEM environments.
Tool Capabilities
Core Functions:
- Extracts custom QRadar detection rules via REST API
- Collects building blocks and rule dependencies
- Generates migration-ready CSV output with calculated migration columns
- Optional log sources inventory with activity tracking
Technical Features:
- Python 2.7.5+ and Python 3.x compatibility (Python 3 recommended)
- Secure API token authentication with hidden input
- SSL certificate verification controls for self-signed environments
- Batch processing with configurable page sizes
- Offline replay mode for cached data analysis
Migration Workflow Impact
This tool addresses the discovery phase of QRadar-to-Sentinel migrations by providing structured rule inventory and dependency mapping. Organizations migrating from QRadar can now systematically catalog their existing detection coverage before rebuilding rules in KQL format.
The collector generates timestamped CSV files (qradar_rules_YYYYMMDDHHMMSS.csv) containing rule metadata and migration assessment data, enabling migration teams to prioritise high-value detections and identify coverage gaps during the transition.
Security Considerations
The tool includes a –skip-ssl-verify option for environments with self-signed certificates, with appropriate warnings about TLS validation bypass risks. API tokens are handled securely through hidden input prompts rather than command-line exposure.
Affected Files
Tools/QRadarMigration/README.md
Tools/QRadarMigration/qradar_collector.py