List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers (Public preview)

This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.

Important

ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Audit event parsers

To use ASIM audit event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:

Source Notes Parser
Azure Activity administrative events Azure Activity events (in the AzureActivity table) in the category Administrative. ASimAuditEventAzureActivity
Exchange 365 administrative events Exchange Administrative events collected using the Office 365 connector (in the OfficeActivity table). ASimAuditEventMicrosoftOffice365
Windows Log clear event Windows Event 1102 collected using the Log Analytics agent Security Events connector (legacy) or the Azure monitor agent Security Events and WEF connectors (using the SecurityEvent, WindowsEvent, or Event tables). ASimAuditEventMicrosoftWindowsEvents

Authentication parsers

To use ASIM authentication parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:

  • Windows sign-ins
    • Collected using Azure Monitor Agent or the Log Analytics Agent (legacy).
    • Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
    • Reported as Security Events (4624, 4625, 4634, and 4647).
  • Linux sign-ins
    • su, sudu, and sshd activity reported using Syslog.
    • reported by Microsoft Defender to IoT Endpoint.
  • Microsoft Entra sign-ins, collected using the Microsoft Entra connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.
  • PostgreSQL sign-in logs.

DNS parsers

ASIM DNS parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:

Source Notes Parser
Normalized DNS Logs Any event normalized at ingestion to the ASimDnsActivityLogs table. The DNS connector for the Azure Monitor Agent uses the ASimDnsActivityLogs table and is supported by the _Im_Dns_Native parser. _Im_Dns_Native
Azure Firewall _Im_Dns_AzureFirewallVxx
Microsoft DNS Server Collected using:
- DNS connector for the Azure Monitor Agent
- NXlog
- DNS connector for the Log Analytics Agent (legacy)

_Im_Dns_MicrosoftOMSVxx
See Normalized DNS logs.
_Im_Dns_MicrosoftNXlogVxx
Sysmon for Windows (event 22) Collected using:
- Azure Monitor Agent
- The Log Analytics Agent (legacy)

For both agents, both collecting to the
Event and WindowsEvent tables are supported.
_Im_Dns_MicrosoftSysmonVxx
Zscaler ZIA _Im_Dns_ZscalerZIAVxx

Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.

File Activity parsers

To use ASIM File Activity parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:

  • Windows file activity
    • Reported by Windows (event 4663):
      • Collected using the Azure Monitor Agent based Security Events connector to the SecurityEvent table.
      • Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
      • Collected using the Log Analytics Agent based Security Events connector to the SecurityEvent table (legacy).
    • Reported using Sysmon file activity events (Events 11, 23, and 26):
      • Collected using the Azure Monitor Agent based WEF (Windows Event Forwarding) connector to the WindowsEvent table.
      • Collected using the Log Analytics Agent to the Event table (legacy).
  • Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector.
  • Azure Storage, including Blob, File, Queue, and Table Storage.

Network Session parsers

ASIM Network Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:

Source Notes Parser
Normalized Network Session Logs Any event normalized at ingestion to the ASimNetworkSessionLogs table. The Firewall connector for the Azure Monitor Agent uses the ASimNetworkSessionLogs table and is supported by the _Im_NetworkSession_Native parser. _Im_NetworkSession_Native
Azure Firewall logs _Im_NetworkSession_AzureFirewallVxx
Checkpoint Firewall-1 Collected using CEF. _Im_NetworkSession_CheckPointFirewallVxx
Cisco ASA Collected using the CEF connector. _Im_NetworkSession_CiscoASAVxx
Fortigate FortiOS IP connection logs collected using Syslog. _Im_NetworkSession_FortinetFortiGateVxx
Palo Alto PanOS traffic logs Collected using CEF. _Im_NetworkSession_PaloAltoCEFVxx
Sysmon for Linux (event 3) Collected using Azure Monitor Agent or the Log Analytics Agent (legacy). _Im_NetworkSession_LinuxSysmonVxx
Windows Firewall logs Collected as Windows events using Azure Monitor Agent (WindowsEvent table) or the Log Analytics Agent (Event table) (legacy). Supports Windows events 5150 to 5159. _Im_NetworkSession_MicrosoftWindowsEventFirewallVxx
Zscaler ZIA firewall logs Collected using CEF. _Im_NetworkSessionZscalerZIAVxx

Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.

Process Event parsers

To use ASIM Process Event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:

  • Security Events process creation (Event 4688), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
  • Security Events process termination (Event 4689), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
  • Sysmon process creation (Event 1), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
  • Sysmon process termination (Event 5), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)

Registry Event parsers

To use ASIM Registry Event parsers, deploy the parsers from the Microsoft Sentinel GitHub repository. Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:

  • Security Events registry update (Events 4657 and 4663), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)
  • Sysmon registry monitoring events (Events 12, 13, and 14), collected using Azure Monitor Agent or the Log Analytics Agent (legacy)

Web Session parsers

ASIM Web Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:

Source Notes Parser
Normalized Web Session Logs Any event normalized at ingestion to the ASimWebSessionLogs table. _Im_WebSession_NativeVxx
Internet Information Services (IIS) Logs Collected using Azure Monitor Agent or Log Analytics Agent (legacy)-based IIS connectors. _Im_WebSession_IISVxx
Palo Alto PanOS threat logs Collected using CEF. _Im_WebSession_PaloAltoCEFVxx
Zscaler ZIA Collected using CEF. _Im_WebSessionZscalerZIAVxx

Deploy the workspace deployed parsers version from the Microsoft Sentinel GitHub repository.

Next steps

Learn more about ASIM parsers:

Learn more about ASIM: