| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
Advanced Security Information Model (ASIM) security content | Microsoft Docs |
This article outlines the Microsoft Sentinel security content that uses the Advanced Security Information Model (ASIM). |
oshezaf |
reference |
11/09/2021 |
ofshezaf |
[!INCLUDE Banner for top of topics]
Normalized security content in Microsoft Sentinel includes analytics rules, hunting queries, and workbooks that work with unifying normalization parsers.
You can find normalized, built-in content in Microsoft Sentinel galleries and solutions, create your own normalized content, or modify existing content to use normalized data.
This article lists built-in Microsoft Sentinel content that has been configured to support the Advanced Security Information Model (ASIM). While links to the Microsoft Sentinel GitHub repository are provided below as a reference, you can also find these rules in the Microsoft Sentinel Analytics rule gallery. Use the linked GitHub pages to copy any relevant hunting queries.
To understand how normalized content fits within the ASIM architecture, refer to the ASIM architecture diagram.
Tip
Also watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides. For more information, see Next steps.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The following built-in authentication content is supported for ASIM normalization.
- Potential Password Spray Attack (Uses Authentication Normalization)
- Brute force attack against user credentials (Uses Authentication Normalization)
- User login from different countries within 3 hours (Uses Authentication Normalization)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
The following built-in DNS query content is supported for ASIM normalization.
- (Preview) TI map Domain entity to DNS Events (ASIM DNS Schema)
- (Preview) TI map IP entity to DNS Events (ASIM DNS Schema)
- Potential DGA detected (ASimDNS)
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- DNS events related to mining pools (ASIM DNS Schema)
- DNS events related to ToR proxies (ASIM DNS Schema)
- Known Barium domains
- Known Barium IP addresses
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- Known GALLIUM domains and hashes
- Known IRIDIUM IP
- NOBELIUM - Domain and IP IOCs - March 2021
- Known Phosphorus group domains/IP
- Known STRONTIUM group domains - July 2019
- Solorigate Network Beacon
- THALLIUM domains included in DCU takedown
- Known ZINC Comebacker and Klackring malware hashes
- Known CERIUM domains and hashes
- Known NICKEL domains and hashes
- NOBELIUM - Domain, Hash, and IP IOCs - May 2021
- Solorigate Network Beacon
The following built-in file activity content is supported for ASIM normalization.
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- HAFNIUM UM Service writing suspicious file
- NOBELIUM - Domain, Hash, and IP IOCs - May 2021
- SUNSPOT log file creation
- Known ZINC Comebacker and Klackring malware hashes
- DEV-0586 Actor IOC - January 2022
- NOBELIUM IOCs related to FoggyWeb backdoor
The following built-in network session related content is supported for ASIM normalization.
- Log4j vulnerability exploit aka Log4Shell IP IOC
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- Potential beaconing activity (ASIM Network Session schema)
- (Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)
- Port scan detected (ASIM Network Session schema)
- Known Barium IP addresses
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- Known IRIDIUM IP
- NOBELIUM - Domain, Hash, and IP IOCs - May 2021
- Known STRONTIUM group domains - July 2019
- Threat Intelligence Workbook
The following built-in process activity content is supported for ASIM normalization.
- Probable AdFind Recon Tool Usage (Normalized Process Events)
- Base64 encoded Windows process command-lines (Normalized Process Events)
- Malware in the recycle bin (Normalized Process Events)
- NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Cscript script daily summary breakdown (Normalized Process Events)
- Enumeration of users and groups (Normalized Process Events)
- Exchange PowerShell Snapin Added (Normalized Process Events)
- Host Exporting Mailbox and Removing Export (Normalized Process Events)
- Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
- Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
- Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
- Powercat Download (Normalized Process Events)
- PowerShell downloads (Normalized Process Events)
- Entropy for Processes for a given Host (Normalized Process Events)
- SolarWinds Inventory (Normalized Process Events)
- Suspicious enumeration using Adfind tool (Normalized Process Events)
- Windows System Shutdown/Reboot (Normalized Process Events)
- Certutil (LOLBins and LOLScripts, Normalized Process Events)
- Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
- Uncommon processes - bottom 5% (Normalized Process Events)
- Unicode Obfuscation in Command Line
The following built-in registry activity content is supported for ASIM normalization.
The following built-in web session related content is supported for ASIM normalization.
- (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)
- (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)
- Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Network Session schema)
- A client made a web request to a potentially harmful file (ASIM Web Session schema)
- A host is potentially running a crypto miner (ASIM Web Session schema)
- A host is potentially running a hacking tool (ASIM Web Session schema)
- A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
- Discord CDN Risky File Download (ASIM Web Session Schema)
- Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
- Known Barium domains
- Known Barium IP addresses
- Known CERIUM domains and hashes
- Known IRIDIUM IP
- Known NICKEL domains and hashes
- NOBELIUM - Domain and IP IOCs - March 2021
- NOBELIUM - Domain, Hash, and IP IOCs - May 2021
- Known Phosphorus group domains/IP
- User agent search for log4j exploitation attempt
This article discusses the Advanced Security Information Model (ASIM) content.
For more information, see:
- Watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides
- Advanced Security Information Model (ASIM) overview
- Advanced Security Information Model (ASIM) schemas
- Advanced Security Information Model (ASIM) parsers
- Using the Advanced Security Information Model (ASIM)
- Modifying Microsoft Sentinel content to use the Advanced Security Information Model (ASIM) parsers