asim/add-audit-schema-across

Author: oshezaf

articles/sentinel/normalization-common-fields.md

@@ -107,7 +107,7 @@ The currently supported list of vendors and products used in the [EventVendor](#
 | Corelight | Zeek | 
 | GCP | Cloud DNS | 
 | Infoblox | NIOS | 
-| Microsoft | - AAD<br> - Azure Firewall<br> - Azure Blob Storage<br>    - Azure File Storage<br>    - Azure NSG flows<br> - Azure Queue Storage<br>  - Azure Table Storage <br>      -  DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - Security Events<br> - Sharepoint 365<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData <br>
+| Microsoft | - AAD<br> - Azure<br> - Azure Firewall<br> - Azure Blob Storage<br>    - Azure File Storage<br>    - Azure NSG flows<br> - Azure Queue Storage<br>  - Azure Table Storage <br>      -  DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - Security Events<br> - Sharepoint 365<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData <br>
 | Okta | - Okta<BR> - Auth0<br> | 
 | Palo Alto | - PanOS<br> - CDL<br> |
 | PostgreSQL | PostgreSQL |

articles/sentinel/normalization-known-issues.md

@@ -15,11 +15,11 @@ The following are the Advanced Security Information Model (ASIM) known issues an
 
 ## Time picker set to a custom range
 
-When using ASIM parsers in the log screen, the time picker will change automatically to "set in query", which will result in querying over all data in the relevant tables. The query results may not be the expected results and performance may be slow.
+When using filtering ASIM parsers (with the prefixes `_Im`, `im`, or `vim`) in the log screen, the time picker will change automatically to "set in query", which will result in querying over all data in the relevant tables. The query results may not be the expected results and performance may be slow.
 
 :::image type="content" source="media/normalization/asim-custom-time-picker.png" alt-text="Screenshot of custom time picker when using ASIM.":::
 
-To ensure correct and timely results, set the time range to your preferred range after it changes to "set in query".
+To ensure correct and timely results, set the time range to your preferred range after it changes to "set in query". In add-hoc queries, you may want to use non-filtering parsers (with the prefixes `_ASim` or `ASim`).
 
 ## Performance challenges
 

articles/sentinel/normalization-parsers-list.md

@@ -16,6 +16,17 @@ This document provides a list of Advanced Security Information Model (ASIM) pars
 > [!IMPORTANT]
 > ASIM is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
+## Audit event parsers
+
+To use ASIM audit event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuditEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
+
+
+| **Source** | **Notes** | **Parser**
+| --- | --------------------------- | ---------- |
+| **Azure Activity administrative events** | Azure Activity events (in the `AzureActivity` table) in the category `Administrative`. | `ASimAuditEventAzureActivity` |
+| **Exchange 365 administrative events** | Exchange Administrative events collected using the Office 365 connector (in the `OfficeActivity` table). | `ASimAuditEventMicrosoftOffice365` |
+| **Windows Log clear event** | Windows Event 1102 collected using the Log Analytics agent Security Events connector or the Azure monitor agent Security Events and WEF connectors (using the `SecurityEvent`, `WindowsEvent`, or `Event` tables). | `ASimAuditEventMicrosoftWindowsEvents` |
+ 
 ## Authentication parsers
 
 To use ASIM authentication parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuthentication). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub: