| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers | Microsoft Docs |
This article lists Advanced Security Information Model (ASIM) parsers. |
oshezaf |
reference |
05/02/2022 |
ofshezaf |
[!INCLUDE Banner for top of topics]
This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- Windows sign-ins
- Collected using the Log Analytics Agent or Azure Monitor Agent.
- Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
- Reported as Security Events (4624, 4625, 4634, and 4647).
- reported by Microsoft 365 Defender for Endpoint, collected using the Microsoft 365 Defender connector.
- Linux sign-ins
- reported by Microsoft 365 Defender for Endpoint, collected using the Microsoft 365 Defender connector.
- reported by Microsoft Defender to IoT Endpoint.
- Azure Active Directory sign-ins, collected using the Azure Active Directory connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
- AWS sign-ins, collected using the AWS CloudTrail connector.
- Okta authentication, collected using the Okta connector.
Deploy the parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following out-of-the-box, product-specific DNS parsers:
| Source | Built-in parsers | Workspace deployed parsers |
|---|---|---|
| Microsoft DNS Server Collected by the DNS connector and the Log Analytics Agent |
_ASim_Dns_MicrosoftOMS (regular) _Im_Dns_MicrosoftOMS (filtering) |
ASimDnsMicrosoftOMS (regular) vimDnsMicrosoftOMS (filtering) |
| Microsoft DNS Server Collected by NXlog |
_ASim_Dns_MicrosoftNXlog (regular)_Im_Dns_MicrosoftNXlog (filtering) |
ASimDnsMicrosoftNXlog (regular)vimDnsMicrosoftNXlog (filtering) |
| Azure Firewall | _ASim_Dns_AzureFirewall (regular)_Im_Dns_AzureFirewall (filtering) |
ASimDnsAzureFirewall (regular)vimDnsAzureFirewall (filtering) |
| Sysmon for Windows (event 22) Collected by the Log Analytics Agent or the Azure Monitor Agent, supporting both the Event and WindowsEvent tables |
_ASim_Dns_MicrosoftSysmon (regular)_Im_Dns_MicrosoftSysmon (filtering) |
ASimDnsMicrosoftSysmon (regular)vimDnsMicrosoftSysmon (filtering) |
| Cisco Umbrella | _ASim_Dns_CiscoUmbrella (regular)_Im_Dns_CiscoUmbrella (filtering) |
ASimDnsCiscoUmbrella (regular)vimDnsCiscoUmbrella (filtering) |
| Infoblox NIOS The InfoBlox parsers require configuring the relevant sources. Use InfobloxNIOS as the source type. |
_ASim_Dns_InfobloxNIOS (regular)_Im_Dns_InfobloxNIOS (filtering) |
ASimDnsInfobloxNIOS (regular)vimDnsInfobloxNIOS (filtering) |
| GCP DNS | _ASim_Dns_Gcp (regular)_Im_Dns_Gcp (filtering) |
ASimDnsGcp (regular)vimDnsGcp (filtering) |
| Corelight Zeek DNS events | _ASim_Dns_CorelightZeek (regular)_Im_Dns_CorelightZeek (filtering) |
ASimDnsCorelightZeek (regular)vimDnsCorelightZeek (filtering) |
| Vectra AI | _ASim_Dns_VectraIA (regular)_Im_Dns_VectraIA (filtering) |
AsimDnsVectraAI (regular)vimDnsVectraAI (filtering) |
| Zscaler ZIA | _ASim_Dns_ZscalerZIA (regular)_Im_Dns_ZscalerZIA (filtering) |
AsimDnsZscalerZIA (regular)vimDnsSzcalerZIA (filtering) |
Deploy the workspace deployed parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following out-of-the-box, product-specific File Activity parsers:
- Sysmon file activity events (Events 11, 23, and 26), collected using the Log Analytics Agent or Azure Monitor Agent.
- Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector.
- Microsoft 365 Defender for Endpoint file events
- Azure Storage, including Blob, File, Queue, and Table Storage.
Deploy the parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following out-of-the-box, product-specific Network Session parsers:
| Source | Built-in parsers | Workspace deployed parsers |
|---|---|---|
| AWS VPC logs collected using the AWS S3 connector | _ASim_NetworkSession_AWSVPC (regular)_Im_NetworkSession_AWSVPC (filtering) |
ASimNetworkSessionAWSVPC (regular)vimNetworkSessionAWSVPC (filtering) |
| Azure Firewall logs | _ASim_NetworkSession_AzureFirewall (regular)_Im_NetworkSession_AzureFirewall (filtering) |
ASimNetworkSessionAzureFirewall (regular)vimNetworkSessionAzureFirewall (filtering) |
| Azure Monitor VMConnection collected as part of the Azure Monitor VM Insights solution | _ASim_NetworkSession_VMConnection (regular)_Im_NetworkSession_VMConnection (filtering) |
ASimNetworkSessionVMConnection (regular)vimNetworkSessionVMConnection (filtering) |
| Azure Network Security Groups (NSG) logs collected as part of the Azure Monitor VM Insights solution | _ASim_NetworkSession_AzureNSG (regular)_Im_NetworkSession_AzureNSG (filtering) |
ASimNetworkSessionAzureNSG (regular)vimNetworkSessionAzureNSG (filtering) |
| Microsoft 365 Defender for Endpoint | _ASim_NetworkSession_Microsoft365Defender (regular)_Im_NetworkSession_Microsoft365Defender (filtering) |
ASimNetworkSessionMicrosoft365Defender (regular)vimNetworkSessionMicrosoft365Defender (filtering) |
| Microsoft Defender for IoT - Endpoint | _ASim_NetworkSession_MD4IoT (regular)_Im_NetworkSession_MD4IoT (filtering) |
ASimNetworkSessionMD4IoT (regular)vimNetworkSessionMD4IoT (filtering) |
| Palo Alto PanOS traffic logs collected using CEF | _ASim_NetworkSession_PaloAltoCEF (regular)_Im_NetworkSession_PaloAltoCEF (filtering) |
ASimNetworkSessionPaloAltoCEF (regular)vimNetworkSessionPaloAltoCEF (filtering) |
| Sysmon for Linux (event 3) Collected using the Log Analytics Agent or the Azure Monitor Agent |
_ASim_NetworkSession_LinuxSysmon (regular)_Im_NetworkSession_LinuxSysmon (filtering) |
ASimNetworkSessionLinuxSysmon (regular)vimNetworkSessionLinuxSysmon (filtering) |
| Vectra AI | _ASim_NetworkSession_VectraIA (regular)_Im_NetworkSession_VectraIA (filtering) |
AsimNetworkSessionVectraAI (regular)vimNetworkSessionVectraAI (filtering) |
| Windows Firewall logs Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. |
_ASim_NetworkSession_MicrosoftWindowsEventFirewall (regular)_Im_NetworkSession_MicrosoftWindowsEventFirewall (filtering) |
ASimNetworkSessionMicrosoftWindowsEventFirewall (regular)vimNetworkSessionMicrosoftWindowsEventFirewall (filtering) |
| Zscaler ZIA firewall logs | _ASim_NetworkSessionZscalerZIA (regular)_Im_NetworkSessionZscalerZIA (filtering) |
AsimNetworkSessionZscalerZIA (regular)vimNetowrkSessionSzcalerZIA (filtering) |
Deploy the workspace deployed parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following built-in, product-specific Process Event parsers:
- Security Events process creation (Event 4688), collected using the Log Analytics Agent or Azure Monitor Agent
- Security Events process termination (Event 4689), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon process creation (Event 1), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon process termination (Event 5), collected using the Log Analytics Agent or Azure Monitor Agent
- Microsoft 365 Defender for Endpoint process creation
Deploy Process Event parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following built-in, product-specific Registry Event parsers:
- Security Events registry update (Event 4657), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon registry monitoring events (Events 12, 13, and 14), collected using the Log Analytics Agent or Azure Monitor Agent
- Microsoft 365 Defender for Endpoint registry events
Deploy Registry Event parsers from the Microsoft Sentinel GitHub repository.
Microsoft Sentinel provides the following out-of-the-box, product-specific Web Session parsers:
| Source | Built-in parsers | Workspace deployed parsers |
|---|---|---|
| Squid Proxy | _ASim_WebSession_SquidProxy (regular) _Im_WebSession_SquidProxy (filtering) |
ASimWebSessionSquidProxy (regular) vimWebSessionSquidProxy (filtering) |
| Zscaler ZIA | _ASim_WebSessionZscalerZIA (regular)_Im_WebSessionZscalerZIA (filtering) |
AsimWebSessionZscalerZIA (regular)vimWebSessionSzcalerZIA (filtering) |
These parsers can be deployed from the Microsoft Sentinel GitHub repository.
Learn more about ASIM parsers:
Learn more about ASIM: