Update normalization-parsers-list.md

batamig · web-flow · commit e06dc7776efd · 2024-10-09T13:11:11.000+03:00
diff --git a/articles/sentinel/normalization-parsers-list.md b/articles/sentinel/normalization-parsers-list.md
@@ -23,14 +23,14 @@ To use ASIM audit event parsers, deploy the parsers from the [Microsoft Sentinel
 | --- | --------------------------- | ---------- |
 | **Azure Activity administrative events** | Azure Activity events (in the `AzureActivity` table) in the category `Administrative`. | `ASimAuditEventAzureActivity` |
 | **Exchange 365 administrative events** | Exchange Administrative events collected using the Office 365 connector (in the `OfficeActivity` table). | `ASimAuditEventMicrosoftOffice365` |
-| **Windows Log clear event** | Windows Event 1102 collected using the Log Analytics agent Security Events connector or the Azure monitor agent Security Events and WEF connectors (using the `SecurityEvent`, `WindowsEvent`, or `Event` tables). | `ASimAuditEventMicrosoftWindowsEvents` |
+| **Windows Log clear event** | Windows Event 1102 collected using the Log Analytics agent Security Events connector (legacy) or the Azure monitor agent Security Events and WEF connectors (using the `SecurityEvent`, `WindowsEvent`, or `Event` tables). | `ASimAuditEventMicrosoftWindowsEvents` |
  
 ## Authentication parsers
 
 To use ASIM authentication parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuthentication). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
 
 - **Windows sign-ins**
-    - Collected using the Log Analytics Agent or Azure Monitor Agent.
+    - Collected using Azure Monitor Agent or the Log Analytics Agent (legacy).
     - Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
     - Reported as Security Events (4624, 4625, 4634, and 4647).
     - reported by Microsoft Defender XDR for Endpoint, collected using the Microsoft Defender XDR connector.
@@ -56,8 +56,8 @@ ASIM DNS parsers are available in every workspace. Microsoft Sentinel provides t
 | **Corelight Zeek** | | `_Im_Dns_CorelightZeekVxx` |
 | **GCP DNS** | | `_Im_Dns_GcpVxx` |
 | - **Infoblox NIOS**<br> - **BIND**<br> - **BlucCat** | The same parsers support multiple sources. | `_Im_Dns_InfobloxNIOSVxx` |
-| **Microsoft DNS Server** | Collected using:<br>- DNS connector for the Log Analytics Agent<br>- DNS connector for the Azure Monitor Agent<br>- NXlog | <br>`_Im_Dns_MicrosoftOMSVxx`<br>See Normalized DNS logs.<br>`_Im_Dns_MicrosoftNXlogVxx` | 
-| **Sysmon for Windows**  (event 22) | Collected using:<br>- the Log Analytics Agent<br>- the Azure Monitor Agent<br><br>For both agents, both collecting to the<br> `Event` and `WindowsEvent` tables are supported. | `_Im_Dns_MicrosoftSysmonVxx` |
+| **Microsoft DNS Server** | Collected using:<br>- DNS connector for the Azure Monitor Agent<br>- NXlog<br>- DNS connector for the Log Analytics Agent (legacy) | <br>`_Im_Dns_MicrosoftOMSVxx`<br>See Normalized DNS logs.<br>`_Im_Dns_MicrosoftNXlogVxx` | 
+| **Sysmon for Windows**  (event 22) | Collected using:<br>- Azure Monitor Agent <br>- The Log Analytics Agent (legacy)<br><br>For both agents, both collecting to the<br> `Event` and `WindowsEvent` tables are supported. | `_Im_Dns_MicrosoftSysmonVxx` |
 | **Vectra AI** | |`_Im_Dns_VectraIAVxx`  |
 | **Zscaler ZIA** | | `_Im_Dns_ZscalerZIAVxx` |
 ||||
@@ -71,12 +71,12 @@ To use ASIM File Activity parsers, deploy the parsers from the [Microsoft Sentin
 
 - **Windows file activity**
     - Reported by **Windows (event 4663)**:
-        - Collected using the Log Analytics Agent based Security Events connector to the SecurityEvent table.
         - Collected using the Azure Monitor Agent based Security Events connector to the SecurityEvent table.
         - Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
+        - Collected using the Log Analytics Agent based Security Events connector to the SecurityEvent table (legacy).
     - Reported using **Sysmon file activity events** (Events 11, 23, and 26):
-        - Collected using the Log Analytics Agent to the Event table.
         - Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
+        - Collected using the Log Analytics Agent to the Event table (legacy).
     - Reported by **Microsoft Defender XDR for Endpoint**, collected using the Microsoft Defender XDR connector.
 - **Microsoft Office 365 SharePoint and OneDrive events**, collected using the Office Activity connector.
 - **Azure Storage**, including Blob, File, Queue, and Table Storage.
@@ -104,9 +104,9 @@ ASIM Network Session parsers are available in every workspace. Microsoft Sentine
 | **Microsoft Defender for IoT micro agent** | | `_Im_NetworkSession_MD4IoTAgentVxx` |
 | **Microsoft Defender for IoT sensor** | | `_Im_NetworkSession_MD4IoTSensorVxx` |
 | **Palo Alto PanOS traffic logs** | Collected using CEF. | `_Im_NetworkSession_PaloAltoCEFVxx` |
-| **Sysmon for Linux**  (event 3) | Collected using the Log Analytics Agent<br> or the Azure Monitor Agent. |`_Im_NetworkSession_LinuxSysmonVxx`  |
+| **Sysmon for Linux**  (event 3) | Collected using Azure Monitor Agent or the Log Analytics Agent (legacy). |`_Im_NetworkSession_LinuxSysmonVxx`  |
 | **Vectra AI** | Supports the [pack](normalization-about-parsers.md#the-pack-parameter) parameter. | `_Im_NetworkSession_VectraIAVxx`  |
-| **Windows Firewall logs** | Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|
+| **Windows Firewall logs** | Collected as Windows events using Azure Monitor Agent (WindowsEvent table) or the Log Analytics Agent (Event table) (legacy). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|
 | **Watchguard FirewareOW** | Collected using Syslog. | `_Im_NetworkSession_WatchGuardFirewareOSVxx` |
 | **Zscaler ZIA firewall logs** | Collected using CEF. | `_Im_NetworkSessionZscalerZIAVxx` |
 
@@ -116,18 +116,18 @@ Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHu
 
 To use ASIM Process Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimProcessEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
 
-- **Security Events process creation (Event 4688)**, collected using the Log Analytics Agent or Azure Monitor Agent
-- **Security Events process termination (Event 4689)**, collected using the Log Analytics Agent or Azure Monitor Agent
-- **Sysmon process creation (Event 1)**, collected using the Log Analytics Agent or Azure Monitor Agent
-- **Sysmon process termination (Event 5)**, collected using the Log Analytics Agent or Azure Monitor Agent
+- **Security Events process creation (Event 4688)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
+- **Security Events process termination (Event 4689)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
+- **Sysmon process creation (Event 1)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
+- **Sysmon process termination (Event 5)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
 - **Microsoft Defender XDR for Endpoint process creation**
 
 ## Registry Event parsers
 
 To use ASIM Registry Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimRegistryEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
 
-- **Security Events registry update (Events 4657 and 4663)**, collected using the Log Analytics Agent or Azure Monitor Agent
-- **Sysmon registry monitoring events (Events 12, 13, and 14)**, collected using the Log Analytics Agent or Azure Monitor Agent
+- **Security Events registry update (Events 4657 and 4663)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
+- **Sysmon registry monitoring events (Events 12, 13, and 14)**, collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
 - **Microsoft Defender XDR for Endpoint registry events**
 
 ## Web Session parsers
@@ -138,7 +138,7 @@ ASIM Web Session parsers are available in every workspace. Microsoft Sentinel pr
 | **Source** | **Notes** | **Parser** | 
 | --- | --------------------------- | ------------------------------ | 
 | **Normalized Web Session Logs** | Any event normalized at ingestion to the `ASimWebSessionLogs` table. | `_Im_WebSession_NativeVxx` |
-| **Internet Information Services (IIS) Logs** | Collected using the AMA or Log Analytics Agent based IIS connectors. | `_Im_WebSession_IISVxx` |
+| **Internet Information Services (IIS) Logs** | Collected using Azure Monitor Agent or Log Analytics Agent (legacy)-based IIS connectors. | `_Im_WebSession_IISVxx` |
 | **Palo Alto PanOS threat logs** | Collected using CEF. | `_Im_WebSession_PaloAltoCEFVxx` |
 | **Squid Proxy** | | `_Im_WebSession_SquidProxyVxx` |
 | **Vectra AI Streams** | Supports the [pack](normalization-about-parsers.md#the-pack-parameter) parameter. | `_Im_WebSession_VectraAIVxx`  |
