Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Normalized security content in Microsoft Sentinel includes analytics rules, hunting queries, and workbooks that work with unifying normalization parsers.
You can find normalized, built-in content in Microsoft Sentinel galleries and solutions, create your own normalized content, or modify existing content to use normalized data.
This article lists built-in Microsoft Sentinel content that has been configured to support the Advanced Security Information Model (ASIM). While links to the Microsoft Sentinel GitHub repository are provided as a reference, you can also find these rules in the Microsoft Sentinel Analytics rule gallery. Use the linked GitHub pages to copy any relevant hunting queries.
To understand how normalized content fits within the ASIM architecture, refer to the ASIM architecture diagram.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The following built-in authentication content is supported for ASIM normalization.
- Potential Password Spray Attack (Uses Authentication Normalization)
- Brute force attack against user credentials (Uses Authentication Normalization)
- User login from different countries/regions within 3 hours (Uses Authentication Normalization)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
The following built-in file activity content is supported for ASIM normalization.
- Legacy IOC Based Threat Detection
The following built-in registry activity content is supported for ASIM normalization.
The following built-in DNS query content is supported for ASIM normalization.
| Solutions | Analytics rules |
|---|---|
| DNS Essentials Log4j Vulnerability Detection Legacy IOC Based Threat Detection |
(Preview) TI map Domain entity to DNS Events (ASIM DNS Schema) (Preview) TI map IP entity to DNS Events (ASIM DNS Schema) Potential DGA detected (ASimDNS) Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) DNS events related to mining pools (ASIM DNS Schema) DNS events related to ToR proxies (ASIM DNS Schema) Known Forest Blizzard group domains - July 2019 |
The following built-in network session related content is supported for ASIM normalization.
| Solutions | Analytics rules | Hunting queries |
|---|---|---|
| Network Session Essentials Log4j Vulnerability Detection Legacy IOC Based Threat Detection |
Log4j vulnerability exploit aka Log4Shell IP IOC Excessive number of failed connections from a single source (ASIM Network Session schema) Potential beaconing activity (ASIM Network Session schema) (Preview) TI map IP entity to Network Session Events (ASIM Network Session schema) Port scan detected (ASIM Network Session schema) Known Forest Blizzard group domains - July 2019 |
Connection from external IP to OMI related Ports |
The following built-in process activity content is supported for ASIM normalization.
The following built-in web session related content is supported for ASIM normalization.
For more information, see:
- Advanced Security Information Model (ASIM) overview
- Advanced Security Information Model (ASIM) schemas
- Advanced Security Information Model (ASIM) parsers
- Using the Advanced Security Information Model (ASIM)
- Modifying Microsoft Sentinel content to use the Advanced Security Information Model (ASIM) parsers