This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Audit Event parsers
| Source |
Notes |
Parser |
| Normalized Audit Event Logs |
Any event normalized at ingestion to the ASimAuditEventLogs table. |
_Im_AuditEvent_Native |
| Azure Activity |
Azure Activity events (in the AzureActivity table) in the category Administrative. |
_Im_AuditEvent_AzureActivityVxx |
| Microsoft Events |
Windows Audit events collected in the Event table |
_Im_AuditEvent_MicrosoftEventVxx |
| Microsoft Exchange 365 |
Exchange Administrative events collected using the Office 365 connector (in the OfficeActivity table). |
_Im_AuditEvent_MicrosoftExchangeAdmin365Vxx |
| Microsoft Security Events |
Windows Event 1102 collected using Azure Monitor Agent (using the SecurityEvent tables). |
_Im_AuditEvent_MicrosoftSecurityEventsVxx |
| Microsoft Windows Events |
Windows Event 1102 collected using Azure Monitor Agent (using the WindowsEvent tables). |
_Im_AuditEvent_MicrosoftWindowsEventsVxx |
Authentication parsers
| Source |
Notes |
Parser |
| Normalized Authentication Logs |
Any event normalized at ingestion to the ASimAuthenticationEventLogs table. |
_Im_Authentication_Native |
| Cisco ASA |
Cisco ASA events collected using CEF. |
_Im_Authentication_CiscoASAVxx |
| Microsoft Entra ID |
Microsoft Entra ID sign-ins, collected using the Microsoft Entra connector for regular sign-ins. |
_Im_Authentication_AADSigninLogsVxx |
| Microsoft Entra ID (Non-Interative) |
Microsoft Entra ID sign-ins, collected using the Microsoft Entra connector for Non-Interactive sign-ins. |
_Im_Authentication_AADNonInteractiveVxx |
| Microsoft Entra ID (Managed Identities) |
Microsoft Entra ID sign-ins, collected using the Microsoft Entra connector for Managed Identities sign-ins. |
_Im_Authentication_AADManagedIdentityVxx |
| Microsoft Entra ID (Service Principal) |
Microsoft Entra ID sign-ins, collected using the Microsoft Entra connector for Service Principal sign-ins. |
_Im_Authentication_AADServicePrincipalSignInLogsVxx |
| Microsoft Windows Events |
Windows sign-ins (Events 4624, 4625, 4634, 4647) collected using Azure Monitor Agent or the Log Analytics Agent to the SecurityEvent or WindowsEvent tables. |
_Im_Authentication_MicrosoftWindowsEventVxx |
| Palo Alto Cortex Data Lake |
Palo Alto Cortex Data Lake events. |
_Im_Authentication_PaloAltoCortexDataLakeVxx |
| PostgreSQL |
PostgreSQL sign-in logs. |
_Im_Authentication_PostgreSQLVxx |
| Linux Sshd |
Linux sshd activity reported using Syslog. |
_Im_Authentication_SshdVxx |
| Linux Su |
Linux su activity reported using Syslog. |
_Im_Authentication_SuVxx |
| Linux Sudo |
Linux sudo activity reported using Syslog. |
_Im_Authentication_SudoVxx |
DNS parsers
| Source |
Notes |
Parser |
| Normalized DNS Logs |
Any event normalized at ingestion to the ASimDnsActivityLogs table. The DNS connector for the Azure Monitor Agent uses the ASimDnsActivityLogs table. |
_Im_Dns_Native |
| Azure Firewall |
Azure Firewall DNS logs. |
_Im_Dns_AzureFirewallVxx |
| Fortinet FortiGate |
Fortinet FortiGate DNS logs. |
_Im_Dns_FortinetFortigateVxx |
| Microsoft DNS Server |
Collected using the DNS connector for the Log Analytics Agent (legacy). |
_Im_Dns_MicrosoftOMSVxx |
| Zscaler ZIA |
Zscaler ZIA DNS logs. |
_Im_Dns_ZscalerZIAVxx |
File Activity parsers
| Source |
Notes |
Parser |
| Normalized File Event Logs |
Any event normalized at ingestion to the ASimFileEventLogs table. |
_Im_FileEvent_Native |
| Azure Blob Storage |
Azure Blob Storage file events. |
_Im_FileEvent_AzureBlobStorageVxx |
| Azure File Storage |
Azure File Storage events. |
_Im_FileEvent_AzureFileStorageVxx |
| Azure Queue Storage |
Azure Queue Storage events. |
_Im_FileEvent_AzureQueueStorageVxx |
| Azure Table Storage |
Azure Table Storage events. |
_Im_FileEvent_AzureTableStorageVxx |
| Microsoft Security Events |
Windows file events (Event 4663) collected using the Security Events connector. |
_Im_FileEvent_MicrosoftSecurityEventsVxx |
| Microsoft SharePoint |
Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector. |
_Im_FileEvent_MicrosoftSharePointVxx |
| Microsoft Windows Events |
Windows file events (Event 4663) collected to the WindowsEvent table. |
_Im_FileEvent_MicrosoftWindowsEventsVxx |
Network Session parsers
| Source |
Notes |
Parser |
| Normalized Network Session Logs |
Any event normalized at ingestion to the ASimNetworkSessionLogs table. The Firewall connector for the Azure Monitor Agent uses this table. |
_Im_NetworkSession_Native |
| Azure Firewall |
Azure Firewall network logs. |
_Im_NetworkSession_AzureFirewallVxx |
| Azure Monitor VMConnection |
Collected as part of the Azure Monitor VM Insights solution. |
_Im_NetworkSession_VMConnectionVxx |
| Checkpoint Firewall |
Checkpoint Firewall events collected using CEF. |
_Im_NetworkSession_CheckPointFirewallVxx |
| Cisco ASA |
Cisco ASA events collected using CEF. |
_Im_NetworkSession_CiscoASAVxx |
| Microsoft Windows Firewall |
Windows Firewall events (Events 5150-5159) collected using Azure Monitor Agent or the Log Analytics Agent. |
_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx |
| Microsoft Windows Security Events Firewall |
Windows Firewall events collected via Security Events connector. |
_Im_NetworkSession_MicrosoftSecurityEventFirewallVxx |
| Palo Alto PanOS |
Palo Alto PanOS traffic logs collected using CEF. |
_Im_NetworkSession_PaloAltoCEFVxx |
| Palo Alto Cortex Data Lake |
Palo Alto Cortex Data Lake events. |
_Im_NetworkSession_PaloAltoCortexDataLakeVxx |
| Zscaler ZIA |
Zscaler ZIA firewall logs collected using CEF. |
_Im_NetworkSession_ZscalerZIAVxx |
Process Event parsers
| Source |
Notes |
Parser |
| Normalized Process Event Logs |
Any event normalized at ingestion to the ASimProcessEventLogs table. |
_Im_ProcessEvent_Native |
| Microsoft Security Events (Create) |
Windows Security Events process creation events (Events 4688). |
_Im_ProcessCreate_MicrosoftSecurityEventsVxx |
| Microsoft Security Events (Terminate) |
Windows Security Events process termination events (Events 4689). |
_Im_ProcessTerminate_MicrosoftSecurityEventsVxx |
| Microsoft Windows Events (Create) |
Windows process events (Event 4688) collected to the WindowsEvent table. |
_Im_ProcessCreate_MicrosoftWindowsEventsVxx |
| Microsoft Windows Events (Terminate) |
Windows process events (Event 4689) collected to the WindowsEvent table. |
_Im_ProcessTerminate_MicrosoftWindowsEventsVxx |
Registry Event parsers
| Source |
Notes |
Parser |
| Normalized Registry Event Logs |
Any event normalized at ingestion to the ASimRegistryEventLogs table. |
_Im_RegistryEvent_Native |
| Microsoft Security Events |
Windows Security Events registry events (Events 4657, 4663). |
_Im_RegistryEvent_MicrosoftSecurityEventVxx |
| Microsoft Windows Events |
Windows registry events collected to the WindowsEvent table. |
_Im_RegistryEvent_MicrosoftWindowsEventVxx |
User Management parsers
| Source |
Notes |
Parser |
| Normalized User Management Logs |
Any event normalized at ingestion to the ASimUserManagementLogs table. |
_Im_UserManagement_Native |
| Microsoft Security Events |
Windows Security Events user management events. |
_Im_UserManagement_MicrosoftSecurityEventVxx |
| Microsoft Windows Events |
Windows user management events collected to the WindowsEvent table. |
_Im_UserManagement_MicrosoftWindowsEventVxx |
Web Session parsers
| Source |
Notes |
Parser |
| Normalized Web Session Logs |
Any event normalized at ingestion to the ASimWebSessionLogs table. |
_Im_WebSession_Native |
| Azure Firewall |
Azure Firewall web session logs. |
_Im_WebSession_AzureFirewallVxx |
| Palo Alto PanOS |
Palo Alto PanOS threat logs collected using CEF. |
_Im_WebSession_PaloAltoCEFVxx |
| Palo Alto Cortex Data Lake |
Palo Alto Cortex Data Lake events. |
_Im_WebSession_PaloAltoCortexDataLakeVxx |
| Zscaler ZIA |
Zscaler ZIA web logs collected using CEF. |
_Im_WebSession_ZscalerZIAVxx |
Next steps
Learn more about ASIM parsers:
Learn more about ASIM: