We have a collection of Sentinel Blue maintained Azure Security Information Model (ASIM) normalization parsers.
Within the Azure Government region specifically we found need to maintain a stable baseline of ASIM for our Sentinels. This capability is something we want to share with whomever might find it useful. This repo will represent the upstream additions for consistency and usefulness within our SOC.
Normalizing data within Sentinel, or within any complex data environment, is advantageous for a number of reasons. Like..
- Enhance data analysis by normalized schemas
- Simplify alert creation by applying an alert to all data sources of a schema
- Documented sources by mapping to a well known schema definitions and format
- Move enrichments close to the dat a source and always apply enrichments where possible
- Parsers provide flexibility by placing normalization outside of extract-transform-load (ETL) pipelines
🔵 Maintain consistency with Microsoft published schemas.
🔵 Additional parameters or content do not 'break' deployed alerting.
🔵 Utilize Semantic versions for our schemas/parsers to maintain versions.
Note
We have made additions to extend the capability of the ASIM parsers. These additions will be 'on top' of the ASIM parsers provided by Microsoft. While utiliznig the ASIM parsers during analysis and alerting we saw the opportunity to expand the functionality.
Top 'extra' features:
✅ Pivot queries to copy-paste relevant next-hop or relevant queries.
✅ Additional parameters for the schema functions/parsers
✅ "Lookup" links in columns for relevant and well-known entities (e.g. abuse db IP lookup)
✅ Enrichments wherever possible (e.g. login codes mapped to relevant description)
We have found it useful to separate the raw KQL from the YAML definition files. You'll see the names of the files match except for the extensions. Automation will combine the files for ARM template creation or deployment.
Warning
Each schema has unique parameters added.
New Parameter | Description |
---|---|
pivot_lookback | Sets the lookback time in the pivot queries provided in each event. Defaults to a value of 30 days. |
Next steps ahead...
- Add Deploy to Azure buttons for all parsers
- Add all parsers
- Audit
- Authentication
- DNS
- DHCP
- File
- Network
- Process
- Registry
- User Management
- Web Session
These are all of the ASIM parsers that are stored in this repository.
Parser | Schema | Schema Version | Description | Deploy |
---|---|---|---|---|
Authentication Event | Authentication | 0.1.3 | Normalize authentication events across Entra ID data sources. |