You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/dns-normalization-schema.md
+11-4Lines changed: 11 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,9 +31,14 @@ The most important activity reported by DNS servers is a DNS query, for which th
31
31
The most important fields in a DNS event are:
32
32
33
33
-[DnsQuery](#query), which reports the domain name for which the query was issued.
34
+
34
35
- The [SrcIpAddr](#srcipaddr) (aliased to [IpAddr](#ipaddr)), which represents the IP address from which the request was generated.
36
+
35
37
-[EventResultDetails](#eventresultdetails), which reports as to whether the request was successful and if not, why.
36
-
- When available, [DnsResponseName](#responsename), which holds the answer provided by the server to the query. ASIM does not require parsing the response, and its format varies between sources. To use this field in source-agnostic content, search the content using the `has` or `contains` operators.
38
+
39
+
- When available, [DnsResponseName](#responsename), which holds the answer provided by the server to the query. ASIM does not require parsing the response, and its format varies between sources.
40
+
41
+
To use this field in source-agnostic content, search the content using the `has` or `contains` operators.
37
42
38
43
DNS events collected on client device may also include [User](#user) and [Process](#process) information.
39
44
@@ -59,6 +64,8 @@ imDNS | where SrcIpAddr != "127.0.0.1" and EventSubType == "response"
59
64
60
65
## Parsers
61
66
67
+
For more information about ASIM parsers, see the [ASIM parsers overview](normalization-parsers-overview.md) and [Use ASIM parsers](normalization-about-parsers.md).
68
+
62
69
### Unifying parsers
63
70
64
71
To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the `_Im_Dns` filtering parser or the `_ASim_Dns` parameter-less parser.
@@ -82,7 +89,7 @@ Microsoft Sentinel provides the following out-of-the-box, product-specific DNS p
For a full list of analytics rules that use normalized DNS events, see the [DNS query security content](normalization-content.md#dns-query-security-content) section.
134
+
For a full list of analytics rules that use normalized DNS events, see [DNS query security content](normalization-content.md#dns-query-security-content).
128
135
129
136
## Schema details
130
137
@@ -171,7 +178,7 @@ The fields below are specific to DNS events, although many are similar to fields
171
178
| <aname="srcdvcid"></a>**SrcDvcId**| Optional | String | The ID of the source device as reported in the record.<br><br>For example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3`|
172
179
|**SrcDvcIdType**| Optional | Enumerated | The type of [SrcDvcId](#srcdvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list above, and store the others in the **SrcDvcAzureResourceId** and **SrcDvcMDEid**, respectively.<br><br>**Note**: This field is required if [SrcDvcId](#srcdvcid) is used. |
173
180
|**SrcDeviceType**| Optional | Enumerated | The type of the source device. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other`|
174
-
| <aname="srcuserid"></a>**SrcUserId**| Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [SrcUserIdType](#srcuseridtype) field. <br><br>If other IDs are available, we recommend that you normalize the field names to **SrcUserSid**, **SrcUserUid**, **SrcUserAadId**, **SrcUserOktaId** and **UserAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: S-1-12 |
181
+
| <aname="srcuserid"></a>**SrcUserId**| Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [SrcUserIdType](#srcuseridtype) field. <br><br>If other IDs are available, we recommend that you normalize the field names to **SrcUserSid**, **SrcUserUid**, **SrcUserAadId**, **SrcUserOktaId** and **UserAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `S-1-12`|
175
182
| <aname="srcuseridtype"></a>**SrcUserIdType**| Optional | Enumerated | The type of the ID stored in the [SrcUserId](#srcuserid) field. Supported values include: `SID`, `UIS`, `AADID`, `OktaId`, and `AWSId`. |
176
183
| <aname="srcusername"></a>**SrcUsername**| Optional | String | The Source username, including domain information when available. Use one of the following formats and in the following order of priority:<br>- **Upn/Email**: `[email protected]`<br>- **Windows**: `Contoso\johndow`<br>- **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM`<br>- **Simple**: `johndow`. Use the Simple form only if domain information is not available.<br><br>Store the Username type in the [SrcUsernameType](#srcusernametype) field. If other IDs are available, we recommend that you normalize the field names to **SrcUserUpn**, **SrcUserWindows** and **SrcUserDn**.<br><br>For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE`|
177
184
| <aname="user"></a>**User**| Alias || Alias to [SrcUsername](#srcusername)|
Copy file name to clipboardExpand all lines: articles/sentinel/network-normalization-schema.md
+42-14Lines changed: 42 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,32 +28,60 @@ The network normalization schema can represent any type of an IP network session
28
28
29
29
## Parsers
30
30
31
-
This section discusses parsers, how to add parsers, and how to filter parser parameters.
31
+
This section discusses parsers, how to add parsers, and how to filter parser parameters. For more information, see [ASIM parsers](normalization-parsers-overview.md) and [Use ASIM parsers](normalization-about-parsers.md).
32
32
33
33
### Unifying parsers
34
34
35
-
To use the unifying parsers that unify all of the out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the following KQL functions as the table name in your query:
36
-
37
-
| Name | Description | Usage instructions |
38
-
| ---- | --- | --- |
39
-
| <aname="imnetworksession"></a>**imNetworkSession**| Aggregative parser that uses *union* to include normalized events from all *network session* sources. |- Update this parser if you want to add or remove sources from source-agnostic analytics. <br><br>- Use this function in your source-agnostic queries.|
40
-
|**ASimNetworkSession**| Similar to the [imNetworkSession](#imnetworksession) function, but without parameter support, so it doesn't force the **Logs** page time picker to use the `custom` value. |- Update these parsers if you want to add or remove sources from source-agnostic analytics.<br><br>- Use this function in your source-agnostic queries if you don't plan to use parameters.|
41
-
|**vimNetworkSession\<vendor\>\<product\>**| Source-specific parsers implement normalization for a specific source. <br><br>Example: `vimNetworkSessionSysmonLinux`|- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the `im` aggregative parser to include reference to your new parser. <br><br>- Update a source-specific parser to resolve parsing and normalization issues.<br><br>- Use a source-specific parser for source-specific analytics.|
42
-
**ASimNetworkSession\<vendor\>\<product\>>** | Source-specific parsers implement normalization for a specific source. <br><br>Unlike the `vim*` functions, the `ASim*` functions don't support parameters. |- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the aggregative `ASim` parser to include reference to your new parser.<br><br>- Update a source-specific parser to resolve parsing and normalization issues.<br><br>- Use an `ASim` source-specific parser for interactive queries when not using parameters.|
43
-
||||
35
+
To use the unifying parsers that unify all of the out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the following KQL functions as the table name in your query.
44
36
45
37
Deploy ASIM parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/DeployASIM).
Aggregative parser that uses *union* to include normalized events from all *network session* sources.
42
+
43
+
- Update this parser if you want to add or remove sources from source-agnostic analytics.
44
+
- Use this function in your source-agnostic queries.
45
+
46
+
#### ASimNetworkSession
47
+
48
+
Similar to the [imNetworkSession](#imnetworksession) function, but without parameter support, so it doesn't force the **Logs** page time picker to use the `custom` value.
49
+
50
+
- Update these parsers if you want to add or remove sources from source-agnostic analytics.
51
+
- Use this function in your source-agnostic queries if you don't plan to use parameters.
52
+
53
+
#### vimNetworkSession\<vendor\>\<product\>
54
+
55
+
Source-specific parsers implement normalization for a specific source.
56
+
57
+
Example: `vimNetworkSessionSysmonLinux`
58
+
59
+
- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the `im` aggregative parser to include reference to your new parser.
60
+
- Update a source-specific parser to resolve parsing and normalization issues.
61
+
- Use a source-specific parser for source-specific analytics.
62
+
63
+
#### ASimNetworkSession\<vendor\>\<product\>>
64
+
65
+
Source-specific parsers implement normalization for a specific source.
66
+
67
+
Unlike the `vim*` functions, the `ASim*` functions don't support parameters.
68
+
69
+
- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the aggregative `ASim` parser to include reference to your new parser.
70
+
- Update a source-specific parser to resolve parsing and normalization issues.
71
+
- Use an `ASim` source-specific parser for interactive queries when not using parameters.
72
+
73
+
74
+
47
75
### Out-of-the-box, source-specific parsers
48
76
49
77
Microsoft Sentinel provides the following built-in, product-specific Network Session parsers:
| **Windows Events Firewall** | Windows firewall activity as represented by using Windows Events 515x, collected by using either the Log Analytics Agent or the Azure Monitor Agent into either the `Event` table or the `WindowsEvent` table.<br><br> - Parametrized: vimNetworkSessionMicrosoftWindowsEventFirewall <br> - Regular: ASimNetworkSessionMicrosoftWindowsEventFirewall
|**Microsoft Sysmon for Linux**| - Parametrized: `vimNetworkSessionSysmonLinux`<br> - Regular: `ASimNetworkSessionSysmonLinux`|
84
+
| **Windows Events Firewall** | Windows firewall activity as represented by using Windows Events 515x, collected by using either the Log Analytics Agent or the Azure Monitor Agent into either the `Event` table or the `WindowsEvent` table.<br><br> - Parametrized: `vimNetworkSessionMicrosoftWindowsEventFirewall` <br> - Regular: `ASimNetworkSessionMicrosoftWindowsEventFirewall`
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-develop-parsers.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,8 +13,6 @@ ms.author: ofshezaf
13
13
14
14
Advanced SIEM Information Model (ASIM) users use *unifying parsers* instead of table names in their queries, to view data in a normalized format and to include all data relevant to the schema in the query. Unifying parsers, in turn, use *source-specific parsers* to handle the specific details of each source.
15
15
16
-
To understand how parsers fit within the ASIM architecture, refer to the [ASIM architecture diagram](normalization.md#asim-components).
17
-
18
16
Microsoft Sentinel provides built-in, source-specific parsers for many data sources. You may want to modify, or *develop*, these source-specific parsers in the following situations:
19
17
20
18
- When your device provides events that fit an ASIM schema, but a source-specific parser for your device and the relevant schema is not available in Microsoft Sentinel.
@@ -27,7 +25,13 @@ Microsoft Sentinel provides built-in, source-specific parsers for many data sour
27
25
28
26
- The events might be collected, modified, and forwarded by an intermediary system.
29
27
30
-
## The ASIM custom parser development process
28
+
To understand how parsers fit within the ASIM architecture, refer to the [ASIM architecture diagram](normalization.md#asim-components).
29
+
30
+
> [!IMPORTANT]
31
+
> ASIM is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
32
+
33
+
34
+
## Custom parser development process
31
35
32
36
The following workflow describe the high level steps in developing a custom ASIM, source-specific parser:
33
37
@@ -47,9 +51,6 @@ This article guides you through the process's development, testing, and deployme
47
51
> Also watch the [Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content](https://www.youtube.com/watch?v=zaqblyjQW6k) or review the related [slide deck](https://1drv.ms/b/s!AnEPjr8tHcNmjGtoRPQ2XYe3wQDz?e=R3dWeM). For more information, see [Next steps](#next-steps).
48
52
>
49
53
50
-
> [!IMPORTANT]
51
-
> ASIM is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-modify-content.md
+20-13Lines changed: 20 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Modify content to us the Advanced SIEM Information Model (ASIM) | Microsoft Docs
2
+
title: Modify content to use the Microsoft Sentinel Advanced SIEM Information Model (ASIM) | Microsoft Docs
3
3
description: This article explains how to convert Microsoft Sentinel content to use the the Advanced SIEM Information Model (ASIM).
4
4
author: oshezaf
5
5
ms.topic: conceptual
@@ -8,15 +8,15 @@ ms.author: ofshezaf
8
8
ms.custom: ignite-fall-2021
9
9
---
10
10
11
-
# Modify content to us the Advanced SIEM Information Model (ASIM) (Public preview)
11
+
# Modify content to use the Advanced SIEM Information Model (ASIM) (Public preview)
12
12
13
13
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
14
15
15
Normalized security content in Microsoft Sentinel includes analytics rules, hunting queries, and workbooks that work with unifying normalization parsers.
16
16
17
-
<aname="builtin"></a>You can find normalized, built-in content in Microsoft Sentinel galleries and [solutions](sentinel-solutions-catalog.md), create your own normalized content, or modify existing content to use normalized data.
17
+
<aname="builtin"></a>You can find normalized, out-of-the-box content in Microsoft Sentinel galleries and [solutions](sentinel-solutions-catalog.md), create your own normalized content, or modify existing, custom content to use normalized data.
18
18
19
-
This article explains how to convert Microsoft Sentinel analytic rules to use the the Advanced SIEM Information Model (ASIM).
19
+
This article explains how to convert existing Microsoft Sentinel analytics rules to use [normalizated data](normalization.md) with the Advanced SIEM Information Model (ASIM).
20
20
21
21
To understand how normalized content fits within the ASIM architecture, refer to the [ASIM architecture diagram](normalization.md#asim-components).
22
22
@@ -28,12 +28,18 @@ To understand how normalized content fits within the ASIM architecture, refer to
28
28
> ASIM is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
29
29
>
30
30
31
-
To enable your custom content to use normalization:
31
+
## Modify custom content to use normalization
32
+
33
+
To enable your custom Microsoft Sentinel content to use normalization:
34
+
35
+
- Modify your queries to use any [unifying parsers](normalization-about-parsers.md) relevant to the query.
36
+
37
+
- Modify field names in your query to use the [normalized schema](normalization-about-schemas.md) field names.
32
38
33
-
- Modify your queries to use the unifying parsers relevant to the query.
34
-
- Modify field names in your query to use the normalized schema field names.
35
39
- When applicable, change conditions to use the normalized values of the fields in your query.
36
40
41
+
## Sample normalization for analytics rules
42
+
37
43
For example, consider the **Rare client observed with high reverse DNS lookup count** DNS analytic rule, which works on DNS events send by Infoblox DNS servers:
To use workspacedeployed ASIM parsers, replace the first line with the following code:
71
+
To use workspace-deployed ASIM parsers, replace the first line with the following code:
66
72
67
73
```kusto
68
74
imDns(responsecodename='NXDOMAIN')
69
75
```
76
+
### Differences between built-in and workspace-deployed parsers
70
77
71
-
The two options are functionally identical.
72
-
73
-
The normalized, source-agnostic version has the following differences:
78
+
The two options in the example [above](#sample-normalization-for-analytics-rules) are functionally identical. The normalized, source-agnostic version has the following differences:
74
79
75
80
- The `_In_Dns` or `imDns`normalized parsers are used instead of the Infoblox Parser.
76
81
@@ -81,9 +86,11 @@ The normalized, source-agnostic version has the following differences:
81
86
- Parser parameter filtering is used for ResponseCodeName, eliminating the need for an explicit `where` clauses.
82
87
83
88
84
-
Apart from supporting any normalized DNS source, the normalized version is shorter and easier to understand.
89
+
>[!NOTE]
90
+
> Apart from supporting any normalized DNS source, the normalized version is shorter and easier to understand.
91
+
>
85
92
86
-
If the schema or parsers do not support filtering parameters, the changes are similar, excluding the last one. Instead the filtering conditions are kept from the original query as seen below:
93
+
If the schema or parsers do not support filtering parameters, the changes are similar, except that the filtering conditions are kept from the original query. For example:
0 commit comments