List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers (Public preview)
This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Audit event parsers
To use ASIM audit event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
| Source | Notes | Parser |
|---|---|---|
| Azure Activity administrative events | Azure Activity events (in the AzureActivity table) in the category Administrative. |
ASimAuditEventAzureActivity |
| Exchange 365 administrative events | Exchange Administrative events collected using the Office 365 connector (in the OfficeActivity table). |
ASimAuditEventMicrosoftOffice365 |
| Windows Log clear event | Windows Event 1102 collected using the Log Analytics agent Security Events connector (legacy) or the Azure monitor agent Security Events and WEF connectors (using the SecurityEvent, WindowsEvent, or Event tables). |
ASimAuditEventMicrosoftWindowsEvents |
Authentication parsers
To use ASIM authentication parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
- Windows sign-ins
- Collected using Azure Monitor Agent or the Log Analytics Agent (legacy).
- Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
- Reported as Security Events (4624, 4625, 4634, and 4647).
- Linux sign-ins
su,sudu, andsshdactivity reported using Syslog.- reported by Microsoft Defender to IoT Endpoint.
- Microsoft Entra sign-ins, collected using the Microsoft Entra connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
- PostgreSQL sign-in logs.
DNS parsers
ASIM DNS parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
| Source | Notes | Parser |
|---|---|---|
| Normalized DNS Logs | Any event normalized at ingestion to the ASimDnsActivityLogs table. The DNS connector for the Azure Monitor Agent uses the ASimDnsActivityLogs table and is supported by the _Im_Dns_Native parser. |
_Im_Dns_Native |
| Azure Firewall | _Im_Dns_AzureFirewallVxx |
|
| Microsoft DNS Server | Collected using: - DNS connector for the Azure Monitor Agent - NXlog - DNS connector for the Log Analytics Agent (legacy) |
_Im_Dns_MicrosoftOMSVxxSee Normalized DNS logs. _Im_Dns_MicrosoftNXlogVxx |
| Sysmon for Windows (event 22) | Collected using: - Azure Monitor Agent - The Log Analytics Agent (legacy) For both agents, both collecting to the Event and WindowsEvent tables are supported. |
_Im_Dns_MicrosoftSysmonVxx |
| Zscaler ZIA | _Im_Dns_ZscalerZIAVxx |
Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.
File Activity parsers
To use ASIM File Activity parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
- Windows file activity
- Reported by Windows (event 4663):
- Collected using the Azure Monitor Agent based Security Events connector to the SecurityEvent table.
- Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
- Collected using the Log Analytics Agent based Security Events connector to the SecurityEvent table (legacy).
- Reported using Sysmon file activity events (Events 11, 23, and 26):
- Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
- Collected using the Log Analytics Agent to the Event table (legacy).
- Reported by Windows (event 4663):
- Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector.
- Azure Storage, including Blob, File, Queue, and Table Storage.
Network Session parsers
ASIM Network Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
| Source | Notes | Parser |
|---|---|---|
| Normalized Network Session Logs | Any event normalized at ingestion to the ASimNetworkSessionLogs table. The Firewall connector for the Azure Monitor Agent uses the ASimNetworkSessionLogs table and is supported by the _Im_NetworkSession_Native parser. |
_Im_NetworkSession_Native |
| Azure Firewall logs | _Im_NetworkSession_AzureFirewallVxx |
|
| Checkpoint Firewall-1 | Collected using CEF. | _Im_NetworkSession_CheckPointFirewallVxx |
| Cisco ASA | Collected using the CEF connector. | _Im_NetworkSession_CiscoASAVxx |
| Fortigate FortiOS | IP connection logs collected using Syslog. | _Im_NetworkSession_FortinetFortiGateVxx |
| Palo Alto PanOS traffic logs | Collected using CEF. | _Im_NetworkSession_PaloAltoCEFVxx |
| Sysmon for Linux (event 3) | Collected using Azure Monitor Agent or the Log Analytics Agent (legacy). | _Im_NetworkSession_LinuxSysmonVxx |
| Windows Firewall logs | Collected as Windows events using Azure Monitor Agent (WindowsEvent table) or the Log Analytics Agent (Event table) (legacy). Supports Windows events 5150 to 5159. | _Im_NetworkSession_MicrosoftWindowsEventFirewallVxx |
| Zscaler ZIA firewall logs | Collected using CEF. | _Im_NetworkSessionZscalerZIAVxx |
Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.
Process Event parsers
To use ASIM Process Event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
- Security Events process creation (Event 4688), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
- Security Events process termination (Event 4689), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
- Sysmon process creation (Event 1), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
- Sysmon process termination (Event 5), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
Registry Event parsers
To use ASIM Registry Event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
- Security Events registry update (Events 4657 and 4663), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
- Sysmon registry monitoring events (Events 12, 13, and 14), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
Web Session parsers
ASIM Web Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
| Source | Notes | Parser |
|---|---|---|
| Normalized Web Session Logs | Any event normalized at ingestion to the ASimWebSessionLogs table. |
_Im_WebSession_NativeVxx |
| Internet Information Services (IIS) Logs | Collected using Azure Monitor Agent or Log Analytics Agent (legacy)-based IIS connectors. | _Im_WebSession_IISVxx |
| Palo Alto PanOS threat logs | Collected using CEF. | _Im_WebSession_PaloAltoCEFVxx |
| Zscaler ZIA | Collected using CEF. | _Im_WebSessionZscalerZIAVxx |
Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.
Next steps
Learn more about ASIM parsers:
Learn more about ASIM: