List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers (Public preview)
Note
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Authentication parsers
- Windows sign-ins
- Collected using the Log Analytics Agent or Azure Monitor Agent.
- Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
- Reported as Security Events (4624, 4625, 4634, and 4647).
- reported by Microsoft 365 Defender for Endpoint, collected using the Microsoft 365 Defender connector.
- Linux sign-ins
- reported by Microsoft 365 Defender for Endpoint, collected using the Microsoft 365 Defender connector.
- reported by Microsoft Defender to IoT Endpoint.
- Azure Active Directory sign-ins, collected using the Azure Active Directory connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
- AWS sign-ins, collected using the AWS CloudTrail connector.
- Okta authentication, collected using the Okta connector.
- PostgreSQL sign-in logs.
Deploy the parsers from the Microsoft Sentinel GitHub repository.
DNS parsers
Microsoft Sentinel provides the following out-of-the-box, product-specific DNS parsers:
| Source | Notes | Parser |
|---|---|---|
| Normalized DNS Logs | Any event normalized at ingestion to the ASimDnsActivityLogs table. |
_Im_Dns_Native |
| Azure Firewall | _Im_Dns_AzureFirewallVxx |
|
| Cisco Umbrella | _Im_Dns_CiscoUmbrellaVxx |
|
| Corelight Zeek | _Im_Dns_CorelightZeekVxx |
|
| GCP DNS | _Im_Dns_GcpVxx |
|
| - Infoblox NIOS - BIND - BlucCat |
The same parsers support multiple sources. | _Im_Dns_InfobloxNIOSVxx |
| Microsoft DNS Server | Collected by the DNS connector and the Log Analytics Agent. | _Im_Dns_MicrosoftOMSVxx |
| Microsoft DNS Server | Collected by NXlog. | _Im_Dns_MicrosoftNXlogVxx |
| Sysmon for Windows (event 22) | Collected by the Log Analytics Agent or the Azure Monitor Agent, supporting both the Event and WindowsEvent tables. |
_Im_Dns_MicrosoftSysmonVxx |
| Vectra AI | _Im_Dns_VectraIAVxx |
|
| Zscaler ZIA | _Im_Dns_ZscalerZIAVxx |
|
Deploy the workspace deployed parsers from the Microsoft Sentinel GitHub repository.
File Activity parsers
Microsoft Sentinel provides the following out-of-the-box, product-specific File Activity parsers:
- Sysmon file activity events (Events 11, 23, and 26), collected using the Log Analytics Agent or Azure Monitor Agent.
- Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector.
- Microsoft 365 Defender for Endpoint file events
- Azure Storage, including Blob, File, Queue, and Table Storage.
Deploy the parsers from the Microsoft Sentinel GitHub repository.
Network Session parsers
Microsoft Sentinel provides the following out-of-the-box, product-specific Network Session parsers:
| Source | Notes | Parser |
|---|---|---|
| AppGate SDP | IP connection logs collected using Syslog. | _Im_NetworkSession_AppGateSDPVxx |
| AWS VPC logs | Collected using the AWS S3 connector. | _Im_NetworkSession_AWSVPCVxx |
| Azure Firewall logs | _Im_NetworkSession_AzureFirewallVxx |
|
| Azure Monitor VMConnection | Collected as part of the Azure Monitor VM Insights solution. | _Im_NetworkSession_VMConnectionVxx |
| Azure Network Security Groups (NSG) logs | Collected as part of the Azure Monitor VM Insights solution. | _Im_NetworkSession_AzureNSGVxx |
| Fortigate FortiOS | IP connection logs collected using Syslog. | _Im_NetworkSession_FortinetFortiGateVxx |
| Microsoft 365 Defender for Endpoint | _Im_NetworkSession_Microsoft365DefenderVxx |
|
| Microsoft Defender for IoT - Endpoint | _Im_NetworkSession_MD4IoTVxx |
|
| Palo Alto PanOS traffic logs | Collected using CEF. | _Im_NetworkSession_PaloAltoCEFVxx |
| Sysmon for Linux (event 3) | Collected using the Log Analytics Agent or the Azure Monitor Agent. |
_Im_NetworkSession_LinuxSysmonVxx |
| Vectra AI | _Im_NetworkSession_VectraIAVxx |
|
| Windows Firewall logs | Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | _Im_NetworkSession_MicrosoftWindowsEventFirewallVxx |
| Zscaler ZIA firewall logs | Collected using CEF. | _Im_NetworkSessionZscalerZIAVxx |
Deploy the workspace deployed parsers from the Microsoft Sentinel GitHub repository.
Process Event parsers
Microsoft Sentinel provides the following built-in, product-specific Process Event parsers:
- Security Events process creation (Event 4688), collected using the Log Analytics Agent or Azure Monitor Agent
- Security Events process termination (Event 4689), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon process creation (Event 1), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon process termination (Event 5), collected using the Log Analytics Agent or Azure Monitor Agent
- Microsoft 365 Defender for Endpoint process creation
Deploy Process Event parsers from the Microsoft Sentinel GitHub repository.
Registry Event parsers
Microsoft Sentinel provides the following built-in, product-specific Registry Event parsers:
- Security Events registry update (Event 4657), collected using the Log Analytics Agent or Azure Monitor Agent
- Sysmon registry monitoring events (Events 12, 13, and 14), collected using the Log Analytics Agent or Azure Monitor Agent
- Microsoft 365 Defender for Endpoint registry events
Deploy Registry Event parsers from the Microsoft Sentinel GitHub repository.
Web Session parsers
Microsoft Sentinel provides the following out-of-the-box, product-specific Web Session parsers:
| Source | Notes | Parser |
|---|---|---|
| Squid Proxy | _Im_WebSession_SquidProxyVxx |
|
| Vectra AI Streams | _Im_WebSession_VectraAIVxx |
|
| Zscaler ZIA | Collected using CEF | _Im_WebSessionZscalerZIAVxx |
These parsers can be deployed from the Microsoft Sentinel GitHub repository.
Next steps
Learn more about ASIM parsers:
Learn more about ASIM:
Povratne informacije
Pošalјite i prikažite povratne informacije za