| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
Advanced Security Information Model (ASIM) helper functions | Microsoft Docs |
This article outlines the Microsoft Sentinel Advanced Security Information Model (ASIM) helper functions. |
oshezaf |
reference |
06/07/2021 |
ofshezaf |
[!INCLUDE Banner for top of topics]
Advanced Security Information Model (ASIM) helper functions extend the KQL language providing functionality that helps interact with normalized data and in writing parsers. The following is a list of ASIM help functions:
Scalar functions are used in expressions are typically invoked as part of an extend statement.
| Function | Input parameters | Output | Description |
|---|---|---|---|
| _ASIM_GetSourceBySourceType | SourceType (String) | List of sources (dynamic) | Retrieve the list of sources associated with the input source type from the SourceBySourceType Watchlist. This function is intended for use by parsers writers. |
| _ASIM_LookupDnsQueryType | QueryType (Integer) | Query Type Name | Translate a numeric DNS resource record (RR) type to its name, as defined by IANA |
| _ASIM_LookupDnsResponseCode | ResponseCode (Integer) | Response Code Name | Translate a numeric DNS response code (RCODE) to its name, as defined by IANA |
Tabular functions are invoked using the invoke operator and return value by adding fields to the data set, as if they perform extend.
| Function | Input parameters | Extended fields | Description |
|---|---|---|---|
| _ASIM_ResolveDnsQueryType | field (String) | DnsQueryTypeName |
Translate a numeric DNS resource record (RR) type stored in the field specified to its name, as defined by IANA, and assigns the result to the field DnsQueryTypeName |
| _ASIM_LookupDnsResponseCode | field (String) | DnsResponseCodeName |
Translate a numeric DNS response code (RCODE) stored in the field specified to its name, as defined by IANA, and assigns the result to the field DnsResponseCodeName |
| _ASIM_ResolveFQDN | field (String) | - ExtractedHostname- Domain- DomainType - FQDN |
Analyzes the value in the field specified and set the output fields accordingly. For more information, see example in the article about developing parsers. |
| _ASIM_ResolveSrcFQDN | field (String) | - SrcHostname- SrcDomain- SrcDomainType- SrcFQDN |
Similar to _ASIM_ResolveFQDN, but sets the Src fields |
| _ASIM_ResolveDstFQDN | field (String) | - DstHostname- DstDomain- DstDomainType- SrcFQDN |
Similar to _ASIM_ResolveFQDN, but sets the Dst fields |
| _ASIM_ResolveDvcFQDN | field (String) | - DvcHostname- DvcDomain- DvcDomainType- DvcFQDN |
Similar to _ASIM_ResolveFQDN, but sets the Dvc fields |
This article discusses the Advanced Security Information Model (ASIM) help functions.
For more information, see:
- Watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides
- Advanced Security Information Model (ASIM) overview
- Advanced Security Information Model (ASIM) schemas
- Advanced Security Information Model (ASIM) parsers
- Using the Advanced Security Information Model (ASIM)
- Modifying Microsoft Sentinel content to use the Advanced Security Information Model (ASIM) parsers