Microsoft Sentinel ASIM Parsers
How to Use ASIM Parsers in Microsoft Sentinel
Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that helps you detect, investigate, and respond to threats across your enterprise. One of the key features of Microsoft Sentinel is the ability to use Advanced Security Information Model (ASIM) parsers to normalize and enrich your data from various sources.
In this blog post, I will explain what ASIM parsers are, how they work, and how you can use them in your Microsoft Sentinel queries and analytics.
What are ASIM parsers?
ASIM parsers are KQL user-defined functions that transform data in existing tables, such as CommonSecurityLog, custom logs tables, or Syslog, into a normalized schema. The normalized schema defines a common set of fields and values for each data type, such as network events, process events, registry events, etc. This makes it easier to query and analyze data from different sources using a consistent format.
For example, if you have data from a firewall and a web proxy in the CommonSecurityLog table, you can use the ASIM NetworkSession parser to convert them into a unified schema that includes fields like DeviceVendor, DeviceProduct, SourceIP, DestinationIP, etc. You can then use these fields to filter, group, join, or aggregate your data as you wish.
How do ASIM parsers work?
ASIM parsers are built as KQL user-defined functions that take one or more parameters and return a table with the normalized schema. You can use ASIM parsers instead of table names in your queries to view data in a normalized format, and to include all data relevant to the schema in your query.
For example, if you want to query all network events in your workspace, you can use the following syntax:
```kql
_ImNetworkSession()
```
This will return a table with all the network events from various sources that match the ASIM NetworkSession schema. You can then apply any filters or operations on this table as you would normally do with any other table.
ASIM parsers are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
How to use ASIM parsers in Microsoft Sentinel?
There are two ways to use ASIM parsers in Microsoft Sentinel: built-in parsers and workspace-deployed parsers.
Built-in parsers
Many ASIM parsers are built-in and available out-of-the-box in every Microsoft Sentinel workspace. You can find them in the Functions tab of the Logs screen. They have names that start with an underscore (_), followed by "Im", followed by the schema name. For example, _ImNetworkSession is the built-in parser for network events.
To use a built-in parser, you just need to call it with the appropriate parameters in your query. For example, if you want to query all network events from the last 24 hours, you can use the following query:
```kql
_ImNetworkSession(startTime=ago(24h))
```
You can also specify other parameters such as endTime, whereFilter, or additionalColumns. For more information on the parameters and syntax of each built-in parser, refer to the ASIM parsers list.
Workspace-deployed parsers
ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually. Workspace-deployed parsers are functionally equivalent to built-in parsers, but have slightly different naming conventions. They have names that start with "im", followed by the schema name. For example, imNetworkSession is the workspace-deployed parser for network events.
To use a workspace-deployed parser, you need to first deploy it to your workspace using one of the methods described in Deploying ASIM parsers. Then you can call it with the appropriate parameters in your query. For example, if you want to query all network events from the last 24 hours using the workspace-deployed parser, you can use the following query:
```kql
imNetworkSession(startTime=ago(24h))
```
You can also specify other parameters such as endTime or whereFilter. For more information on the parameters and syntax of each workspace-deployed parser, refer to the ASIM parsers list.
It is recommended to use built-in parsers for schemas for which built-in parsers are available.
How to choose between unifying parsers and source-specific parsers?
ASIM includes two levels of parsers: unifying parsers and source-specific parsers. The unifying parser is the one that you usually use for the relevant schema, ensuring all data relevant to the schema is queried. The unifying parser in turn calls source-specific parsers to perform the actual parsing and normalization, which is specific for each source.
The unifying parser name is _Im_<schema> for built-in parsers and im<schema> for workspace deployed parsers, where <schema> stands for the specific schema it serves. Source-specific parsers can also be used independently. Use _Im_<schema>_<source> for built-in parsers and vim<schema><source> for workspace deployed parsers. For example, in an Infoblox-specific workbook, use the _Im_Dns_InfobloxNIOS source-specific parser. You can find a list of source-specific parsers in the ASIM parsers list.
The advantage of using the unifying parser is that it automatically includes all the relevant data sources for the schema, and applies the appropriate source-specific parser for each source. This way, you don't need to worry about which sources to include or exclude in your query, or which parser to use for each source.
The disadvantage of using the unifying parser is that it may return more data than you need, or data that is not relevant to your use case. For example, if you only want to query network events from a specific firewall vendor, using the unifying parser will also return network events from other sources that may not be of interest to you.
In such cases, you may want to use the source-specific parser instead of the unifying parser, to limit your query to a specific source and optimize your performance. For example, if you only want to query network events from Cisco ASA firewall, you can use the following query:
```kql
_ImNetworkSession_CiscoASA()
```
This will return a table with only the network events from Cisco ASA firewall that match the ASIM NetworkSession schema. You can then apply any filters or operations on this table as you would normally do with any other table.
Conclusion
ASIM parsers are a powerful feature of Microsoft Sentinel that enable you to normalize and enrich your data from various sources and query them using a consistent format. You can use built-in parsers or workspace-deployed parsers, depending on your preference and availability. You can also choose between unifying parsers and source-specific parsers, depending on your use case and performance needs.
I hope this blog post has helped you understand how to use ASIM parsers in Microsoft Sentinel and how they can benefit your security operations.