Skip to content

Microsoft Sentinel Advanced Security Information Model (ASIM) schemas and parsers maintained by the Sentinel Blue SOC team.

License

Notifications You must be signed in to change notification settings

sentinelblue/Microsoft-Sentinel-SB-ASIM

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Typing SVG

header

About

We have a collection of Sentinel Blue maintained Azure Security Information Model (ASIM) normalization parsers.

Within the Azure Government region specifically we found need to maintain a stable baseline of ASIM for our Sentinels. This capability is something we want to share with whomever might find it useful. This repo will represent the upstream additions for consistency and usefulness within our SOC.

Normalizing data within Sentinel, or within any complex data environment, is advantageous for a number of reasons. Like..

  • Enhance data analysis by normalized schemas
  • Simplify alert creation by applying an alert to all data sources of a schema
  • Documented sources by mapping to a well known schema definitions and format
  • Move enrichments close to the dat a source and always apply enrichments where possible
  • Parsers provide flexibility by placing normalization outside of extract-transform-load (ETL) pipelines

Philosophy

🔵 Maintain consistency with Microsoft published schemas.

🔵 Additional parameters or content do not 'break' deployed alerting.

🔵 Utilize Semantic versions for our schemas/parsers to maintain versions.

Highlights and Additions

Note

We have made additions to extend the capability of the ASIM parsers. These additions will be 'on top' of the ASIM parsers provided by Microsoft. While utiliznig the ASIM parsers during analysis and alerting we saw the opportunity to expand the functionality.

Top 'extra' features:

✅ Pivot queries to copy-paste relevant next-hop or relevant queries.

✅ Additional parameters for the schema functions/parsers

✅ "Lookup" links in columns for relevant and well-known entities (e.g. abuse db IP lookup)

✅ Enrichments wherever possible (e.g. login codes mapped to relevant description)

Notes

File Types

We have found it useful to separate the raw KQL from the YAML definition files. You'll see the names of the files match except for the extensions. Automation will combine the files for ARM template creation or deployment.

Add-On Global Parameters

Warning

Each schema has unique parameters added.

New Parameter Description
pivot_lookback Sets the lookback time in the pivot queries provided in each event. Defaults to a value of 30 days.

Development

Next steps ahead...

  • Add Deploy to Azure buttons for all parsers
  • Add all parsers
    • Audit
    • Authentication
    • DNS
    • DHCP
    • File
    • Network
    • Process
    • Registry
    • User Management
    • Web Session

Parser Directory

These are all of the ASIM parsers that are stored in this repository.

Parser Schema Schema Version Description Deploy
Authentication Event Authentication 0.1.3 Normalize authentication events across Entra ID data sources. Deploy to Azure

About

Microsoft Sentinel Advanced Security Information Model (ASIM) schemas and parsers maintained by the Sentinel Blue SOC team.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published