Normalization and the Azure Sentinel Information Model (ASIM) (Public preview)

Azure Sentinel ingests data from many sources. Working with various data types and tables together requires you to understand each of them, and write and use unique sets of data for analytics rules, workbooks, and hunting queries for each type or schema.

Sometimes, you'll need separate rules, workbooks, and queries, even when data types share common elements, such as firewall devices. Correlating between different types of data during an investigation and hunting can also be challenging.

This article provides an overview of the Azure Sentinel Information model (ASIM), which provides a solution for the challenges of handling multiple types of data.

Tip

Also watch the ASIM Webinar or review the webinar slides. For more information, see Next steps.

Important

ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Common ASIM usage

The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views, by providing the following functionality:

  • Cross source detection. Normalized analytics rules work across sources, on-premises and cloud, and detect attacks such as brute force or impossible travel across systems, including Okta, AWS, and Azure.

  • Source agnostic content. The coverage of both built-in and custom content using ASIM automatically expands to any source that supports ASIM, even if the source was added after the content was created. For example, process event analytics support any source that a customer may use to bring in the data, such as Microsoft Defender for Endpoint, Windows Events, and Sysmon.

  • Support for your custom sources, in built-in analytics

  • Ease of use. After an analyst learns ASIM, writing queries is much simpler as the field names are always the same.

ASIM and the Open Source Security Events Metadata

The Azure Sentinel Information Model aligns with the Open Source Security Events Metadata (OSSEM) common information model, allowing for predictable entities correlation across normalized tables.

OSSEM is a community-led project that focuses primarily on the documentation and standardization of security event logs from diverse data sources and operating systems. The project also provides a Common Information Model (CIM) that can be used for data engineers during data normalization procedures to allow security analysts to query and analyze data across diverse data sources.

For more information, see the OSSEM reference documentation.

ASIM components

The following image shows how non-normalized data can be translated into normalized content and used in Azure Sentinel. For example, you can start with a custom, product-specific, non-normalized table, and use a parser and a normalization schema to convert that table to normalized data. Use your normalized data in both Microsoft and custom analytics, rules, workbooks, queries, and more.

Non-normalized to normalized data conversion flow and usage in Azure Sentinel

The Azure Sentinel Information Model includes the following components:

Component Description
Normalized schemas Cover standard sets of predictable event types that you can use when building unified capabilities.

Each schema defines the fields that represent an event, a normalized column naming convention, and a standard format for the field values.

ASIM currently defines the following schemas:
- Network Session
- DNS Activity
- Process Event
- Authentication Event
- Registry Event
- File Activity

For more information, see Azure Sentinel Information Model schemas.
Parsers Map existing data to the normalized schemas using KQL functions.

Deploy the Microsoft-developed normalizing parsers from the Azure Sentinel GitHub Parsers folder. Normalized parsers are located in subfolders starting with ASim*.

For more information, see Azure Sentinel Information Model parsers.
Content for each normalized schema Includes analytics rules, workbooks, hunting queries, and more. Content for each normalized schema works on any normalized data without the need to create source-specific content.

For more information, see Azure Sentinel Information Model content.

ASIM terminology

The Azure Sentinel Information Model uses the following terms:

Term Description
Reporting device The system that sends the records to Azure Sentinel. This system may not be the subject system for the record that's being sent.
Record A unit of data sent from the reporting device. A record is often referred to as log, event, or alert, but can also be other types of data.
Content, or Content Item The different, customizable, or user-created artifacts than can be used with Azure Sentinel. Those artifacts include, for example, Analytics rules, Hunting queries and workbooks. A content item is one such artifact.

Getting started with ASIM

To start using ASIM:

  1. Deploy all ASIM parsers quickly from the Azure Sentinel GitHub repository.

  2. Activate analytics rule templates that use ASIM. For more information, see the Azure Sentinel Information Model (ASIM) content list.

  3. Use ASIM in your workspace, using the following methods:

Next steps

This article provides an overview of normalization in Azure Sentinel and the Azure Sentinel Information Model.

For more information, see: