Use Advanced SIEM Information Model (ASIM) parsers (Public preview)
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
Use Advanced SIEM Information Model (ASIM) parsers instead of table names in your Microsoft Sentinel queries to view data in a normalized format and to include all data relevant to the schema in your query. Refer to the table below to find the relevant parser for each schema.
To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
When using ASIM in your queries, use unifying parsers to combine all sources, normalized to the same schema, and query them using normalized fields. The unifying parser name is
_Im_<schema> for built-in parsers and
im<schema> for workspace deployed parsers, where
<schema> stands for the specific schema it serves.
For example, the following query uses the built-in unifying DNS parser to query DNS events using the
TimeGenerated normalized fields:
_Im_Dns | where isnotempty(ResponseCodeName) | where ResponseCodeName =~ "NXDOMAIN" | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
When using the ASIM unifying filtering parsers in the Logs page, the time range selector is set to
custom. You can still set the time range yourself. Alternatively, specify the time range using parser parameters.
Alternately, use the parameter-less parsers, which start with
_ASim_ for built-in parsers and
ASim for workspace deployed parsers. Those parsers do not set the time-range picker to
custom by default.
The following table lists unifying parsers available:
|Schema||Built-in filtering parser||Built-in parameter-less parser||workspace deployed filtering parser||workspace deployed parameter-less parser|
|Process Event||- imProcess
Unifying parsers use Source-specific parsers to handle the unique aspects of each source. However, source-specific parsers can also be used independently. For example, in an Infoblox-specific workbook, use the
vimDnsInfobloxNIOS source-specific parser.
Optimizing parsing using parameters
Using parsers may impact your query performance, primarily from filtering the results after parsing. For this reason, many parsers have optional filtering parameters, which enable you to filter before parsing and enhance query performance. With query optimization and pre-filtering efforts, ASIM parsers often provide better performance when compared to not using normalization at all.
When invoking the parser, use filtering parameters by adding one or more named parameters. For example, the following query start ensures that only DNS queries for non-existent domains are returned:
The previous example is similar to the following query but is much more efficient.
_Im_Dns | where ResponseCodeName == 'NXDOMAIN'
Each schema has a standard set of filtering parameters documented in the relevant schema documentation. Filtering parameters are entirely optional. The following schemas support filtering parameters:
This article discusses the Advanced SIEM Information Model (ASIM) parsers. To learn how to develop your own parsers, see Develop ASIM parsers.
Learn more about ASIM parsers:
Learn more about the ASIM in general: