Skip to content

Commit 69ecbfb

Browse files
batamigbatamig
authored
removing parsers changes
1 parent 373593e commit 69ecbfb

File tree

1 file changed

+19
-16
lines changed

1 file changed

+19
-16
lines changed

articles/sentinel/normalization-parsers-list.md

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,14 @@ To use ASIM audit event parsers, deploy the parsers from the [Microsoft Sentinel
2323
| --- | --------------------------- | ---------- |
2424
| **Azure Activity administrative events** | Azure Activity events (in the `AzureActivity` table) in the category `Administrative`. | `ASimAuditEventAzureActivity` |
2525
| **Exchange 365 administrative events** | Exchange Administrative events collected using the Office 365 connector (in the `OfficeActivity` table). | `ASimAuditEventMicrosoftOffice365` |
26-
| **Windows Log clear event** | Windows Event 1102 collected using the Azure Monitor Agent Security Events and WEF connectors (using the `SecurityEvent`, `WindowsEvent`, or `Event` tables). | `ASimAuditEventMicrosoftWindowsEvents` |
27-
26+
| **Windows Log clear event** | Windows Event 1102 collected using the Log Analytics agent Security Events connector or the Azure monitor agent Security Events and WEF connectors (using the `SecurityEvent`, `WindowsEvent`, or `Event` tables). | `ASimAuditEventMicrosoftWindowsEvents` |
27+
2828
## Authentication parsers
2929

3030
To use ASIM authentication parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuthentication). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
3131

3232
- **Windows sign-ins**
33-
- Collected using the Azure Monitor Agent.
33+
- Collected using the Log Analytics Agent or Azure Monitor Agent.
3434
- Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
3535
- Reported as Security Events (4624, 4625, 4634, and 4647).
3636
- reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
@@ -56,10 +56,11 @@ ASIM DNS parsers are available in every workspace. Microsoft Sentinel provides t
5656
| **Corelight Zeek** | | `_Im_Dns_CorelightZeekVxx` |
5757
| **GCP DNS** | | `_Im_Dns_GcpVxx` |
5858
| - **Infoblox NIOS**<br> - **BIND**<br> - **BlucCat** | The same parsers support multiple sources. | `_Im_Dns_InfobloxNIOSVxx` |
59-
| **Microsoft DNS Server** | Collected using:<br>- DNS connector for the Azure Monitor Agent<br>- NXlog | <br>`_Im_Dns_MicrosoftOMSVxx`<br>See Normalized DNS logs.<br>`_Im_Dns_MicrosoftNXlogVxx` |
60-
| **Sysmon for Windows** (event 22) | Collected using the Azure Monitor Agent to the `Event` and `WindowsEvent` tables. | `_Im_Dns_MicrosoftSysmonVxx` |
59+
| **Microsoft DNS Server** | Collected using:<br>- DNS connector for the Log Analytics Agent<br>- DNS connector for the Azure Monitor Agent<br>- NXlog | <br>`_Im_Dns_MicrosoftOMSVxx`<br>See Normalized DNS logs.<br>`_Im_Dns_MicrosoftNXlogVxx` |
60+
| **Sysmon for Windows** (event 22) | Collected using:<br>- the Log Analytics Agent<br>- the Azure Monitor Agent<br><br>For both agents, both collecting to the<br> `Event` and `WindowsEvent` tables are supported. | `_Im_Dns_MicrosoftSysmonVxx` |
6161
| **Vectra AI** | |`_Im_Dns_VectraIAVxx` |
6262
| **Zscaler ZIA** | | `_Im_Dns_ZscalerZIAVxx` |
63+
||||
6364

6465
Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimDNS).
6566

@@ -70,11 +71,13 @@ To use ASIM File Activity parsers, deploy the parsers from the [Microsoft Sentin
7071

7172
- **Windows file activity**
7273
- Reported by **Windows (event 4663)**:
74+
- Collected using the Log Analytics Agent based Security Events connector to the SecurityEvent table.
7375
- Collected using the Azure Monitor Agent based Security Events connector to the SecurityEvent table.
7476
- Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
7577
- Reported using **Sysmon file activity events** (Events 11, 23, and 26):
78+
- Collected using the Log Analytics Agent to the Event table.
7679
- Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
77-
- Reported by **Microsoft Defender for Endpoint**, collected using the Microsoft Defender XDR connector.
80+
- Reported by **Microsoft Defender XDR for Endpoint**, collected using the Microsoft Defender XDR connector.
7881
- **Microsoft Office 365 SharePoint and OneDrive events**, collected using the Office Activity connector.
7982
- **Azure Storage**, including Blob, File, Queue, and Table Storage.
8083

@@ -101,9 +104,9 @@ ASIM Network Session parsers are available in every workspace. Microsoft Sentine
101104
| **Microsoft Defender for IoT micro agent** | | `_Im_NetworkSession_MD4IoTAgentVxx` |
102105
| **Microsoft Defender for IoT sensor** | | `_Im_NetworkSession_MD4IoTSensorVxx` |
103106
| **Palo Alto PanOS traffic logs** | Collected using CEF. | `_Im_NetworkSession_PaloAltoCEFVxx` |
104-
| **Sysmon for Linux** (event 3) | Collected using the Azure Monitor Agent. |`_Im_NetworkSession_LinuxSysmonVxx` |
107+
| **Sysmon for Linux** (event 3) | Collected using the Log Analytics Agent<br> or the Azure Monitor Agent. |`_Im_NetworkSession_LinuxSysmonVxx` |
105108
| **Vectra AI** | Supports the [pack](normalization-about-parsers.md#the-pack-parameter) parameter. | `_Im_NetworkSession_VectraIAVxx` |
106-
| **Windows Firewall logs** | Collected as Windows events using the Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|
109+
| **Windows Firewall logs** | Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|
107110
| **Watchguard FirewareOW** | Collected using Syslog. | `_Im_NetworkSession_WatchGuardFirewareOSVxx` |
108111
| **Zscaler ZIA firewall logs** | Collected using CEF. | `_Im_NetworkSessionZscalerZIAVxx` |
109112

@@ -113,18 +116,18 @@ Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHu
113116

114117
To use ASIM Process Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimProcessEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
115118

116-
- **Security Events process creation (Event 4688)**, collected using the Azure Monitor Agent
117-
- **Security Events process termination (Event 4689)**, collected using the Azure Monitor Agent
118-
- **Sysmon process creation (Event 1)**, collected using the Azure Monitor Agent
119-
- **Sysmon process termination (Event 5)**, collected using the Azure Monitor Agent
120-
- **Microsoft Defender for Endpoint process creation**
119+
- **Security Events process creation (Event 4688)**, collected using the Log Analytics Agent or Azure Monitor Agent
120+
- **Security Events process termination (Event 4689)**, collected using the Log Analytics Agent or Azure Monitor Agent
121+
- **Sysmon process creation (Event 1)**, collected using the Log Analytics Agent or Azure Monitor Agent
122+
- **Sysmon process termination (Event 5)**, collected using the Log Analytics Agent or Azure Monitor Agent
123+
- **Microsoft Defender XDR for Endpoint process creation**
121124

122125
## Registry Event parsers
123126

124127
To use ASIM Registry Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimRegistryEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
125128

126-
- **Security Events registry update (Events 4657 and 4663)**, collected using the Azure Monitor Agent
127-
- **Sysmon registry monitoring events (Events 12, 13, and 14)**, collected using the Azure Monitor Agent
129+
- **Security Events registry update (Events 4657 and 4663)**, collected using the Log Analytics Agent or Azure Monitor Agent
130+
- **Sysmon registry monitoring events (Events 12, 13, and 14)**, collected using the Log Analytics Agent or Azure Monitor Agent
128131
- **Microsoft Defender XDR for Endpoint registry events**
129132

130133
## Web Session parsers
@@ -135,7 +138,7 @@ ASIM Web Session parsers are available in every workspace. Microsoft Sentinel pr
135138
| **Source** | **Notes** | **Parser** |
136139
| --- | --------------------------- | ------------------------------ |
137140
| **Normalized Web Session Logs** | Any event normalized at ingestion to the `ASimWebSessionLogs` table. | `_Im_WebSession_NativeVxx` |
138-
| **Internet Information Services (IIS) Logs** | Collected using the Azure Monitor Agent-based IIS connectors. | `_Im_WebSession_IISVxx` |
141+
| **Internet Information Services (IIS) Logs** | Collected using the AMA or Log Analytics Agent based IIS connectors. | `_Im_WebSession_IISVxx` |
139142
| **Palo Alto PanOS threat logs** | Collected using CEF. | `_Im_WebSession_PaloAltoCEFVxx` |
140143
| **Squid Proxy** | | `_Im_WebSession_SquidProxyVxx` |
141144
| **Vectra AI Streams** | Supports the [pack](normalization-about-parsers.md#the-pack-parameter) parameter. | `_Im_WebSession_VectraAIVxx` |

0 commit comments

Comments
 (0)