Last quarter we focused on Azure Sentinel Information Model (ASIM) foundations and defined schemas. This quarter we focused on making ASIM more useful to you:
The first schema to use parametrized parsers is the DNS schema. DNS is a high-volume source, and using optimized parsers enables the new normalized Threat Intelligence Analytics Rules (Domains, IPs) to match your TI to even the highest volume of DNS data. And with out-of-the-box optimized parsers for a wide variety of DNS servers and clients, including Windows DNS Server, InfoBlox, Cisco Umbrella, Corelight Zeek, Google Cloud DNS, and Sysmon, you get this detection across much more of your data.
Join us to learn more about parametrized parsers in our upcoming webinar “Turbocharging ASIM: Making Sure Normalization Helps Performance Rather Than Impacting It” on Oct 6th. Register, as usual on https://aka.ms/securitywebinars.
Special thanks to Yaron Fruchtmann and Yuval Naor , who made all this possible.
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:
The current implementation is based on query time normalization using KQL functions. And includes the following:
Principal Product Manager, Azure Sentinel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.