Advanced Security Information Model (ASIM) security content (Public preview)
Normalized security content in Microsoft Sentinel includes analytics rules, hunting queries, and workbooks that work with unifying normalization parsers.
You can find normalized, built-in content in Microsoft Sentinel galleries and solutions, create your own normalized content, or modify existing content to use normalized data.
This article lists built-in Microsoft Sentinel content that has been configured to support the Advanced Security Information Model (ASIM). While links to the Microsoft Sentinel GitHub repository are provided below as a reference, you can also find these rules in the Microsoft Sentinel Analytics rule gallery. Use the linked GitHub pages to copy any relevant hunting queries.
To understand how normalized content fits within the ASIM architecture, refer to the ASIM architecture diagram.
Tip
Also watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides. For more information, see Next steps.
Important
ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Authentication security content
The following built-in authentication content is supported for ASIM normalization.
Analytics rules
- Potential Password Spray Attack (Uses Authentication Normalization)
- Brute force attack against user credentials (Uses Authentication Normalization)
- User login from different countries within 3 hours (Uses Authentication Normalization)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
DNS query security content
The following built-in DNS query content is supported for ASIM normalization.
Solutions
Analytics rules
- (Preview) TI map Domain entity to DNS Events (ASIM DNS Schema)
- (Preview) TI map IP entity to DNS Events (ASIM DNS Schema)
- Potential DGA detected (ASimDNS)
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- DNS events related to mining pools (ASIM DNS Schema)
- DNS events related to ToR proxies (ASIM DNS Schema)
- Known Barium domains
- Known Barium IP addresses
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- Known Granite Typhoon domains and hashes
- Known Seashell Blizzard IP
- Midnight Blizzard - Domain and IP IOCs - March 2021
- Known Phosphorus group domains/IP
- Known Forest Blizzard group domains - July 2019
- Solorigate Network Beacon
- Emerald Sleet domains included in DCU takedown
- Known Diamond Sleet Comebacker and Klackring malware hashes
- Known Ruby Sleet domains and hashes
- Known NICKEL domains and hashes
- Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
- Solorigate Network Beacon
File Activity security content
The following built-in file activity content is supported for ASIM normalization.
Analytics Rules
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- Silk Typhoon UM Service writing suspicious file
- Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
- SUNSPOT log file creation
- Known Diamond Sleet Comebacker and Klackring malware hashes
- Cadet Blizzard Actor IOC - January 2022
- Midnight Blizzard IOCs related to FoggyWeb backdoor
Network session security content
The following built-in network session related content is supported for ASIM normalization.
Solutions
Analytics rules
- Log4j vulnerability exploit aka Log4Shell IP IOC
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- Potential beaconing activity (ASIM Network Session schema)
- (Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)
- Port scan detected (ASIM Network Session schema)
- Known Barium IP addresses
- Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
- [Known Seashell Blizzard IP(https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml)
- Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
- Known Forest Blizzard group domains - July 2019
Hunting queries
Process activity security content
The following built-in process activity content is supported for ASIM normalization.
Solutions
Analytics rules
- Probable AdFind Recon Tool Usage (Normalized Process Events)
- Base64 encoded Windows process command-lines (Normalized Process Events)
- Malware in the recycle bin (Normalized Process Events)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
Hunting queries
- Cscript script daily summary breakdown (Normalized Process Events)
- Enumeration of users and groups (Normalized Process Events)
- Exchange PowerShell Snapin Added (Normalized Process Events)
- Host Exporting Mailbox and Removing Export (Normalized Process Events)
- Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
- Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
- Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
- Powercat Download (Normalized Process Events)
- PowerShell downloads (Normalized Process Events)
- Entropy for Processes for a given Host (Normalized Process Events)
- SolarWinds Inventory (Normalized Process Events)
- Suspicious enumeration using Adfind tool (Normalized Process Events)
- Windows System Shutdown/Reboot (Normalized Process Events)
- Certutil (LOLBins and LOLScripts, Normalized Process Events)
- Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
- Uncommon processes - bottom 5% (Normalized Process Events)
- Unicode Obfuscation in Command Line
Registry activity security content
The following built-in registry activity content is supported for ASIM normalization.
Analytics rules
Hunting queries
Web session security content
The following built-in web session related content is supported for ASIM normalization.
Solutions
Analytics rules
- (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)
- (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)
- Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Network Session schema)
- A client made a web request to a potentially harmful file (ASIM Web Session schema)
- A host is potentially running a crypto miner (ASIM Web Session schema)
- A host is potentially running a hacking tool (ASIM Web Session schema)
- A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
- Discord CDN Risky File Download (ASIM Web Session Schema)
- Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
- Known Barium domains
- Known Barium IP addresses
- Known Ruby Sleet domains and hashes
- Known Seashell Blizzard IP
- Known NICKEL domains and hashes
- Midnight Blizzard - Domain and IP IOCs - March 2021
- Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
- Known Phosphorus group domains/IP
- User agent search for log4j exploitation attempt
Next steps
This article discusses the Advanced Security Information Model (ASIM) content.
For more information, see:
- Watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides
- Advanced Security Information Model (ASIM) overview
- Advanced Security Information Model (ASIM) schemas
- Advanced Security Information Model (ASIM) parsers
- Using the Advanced Security Information Model (ASIM)
- Modifying Microsoft Sentinel content to use the Advanced Security Information Model (ASIM) parsers