Σημείωση
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να συνδεθείτε ή να αλλάξετε καταλόγους.
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να αλλάξετε καταλόγους.
Use Advanced Security Information Model (ASIM) parsers instead of table names in your Microsoft Sentinel queries to view data in a normalized format and to include all data relevant to the schema in your query. Refer to the table below to find the relevant parser for each schema.
Unifying parsers
When using ASIM in your queries, use unifying parsers to combine all sources, normalized to the same schema, and query them using normalized fields. The unifying parser name is _Im_<schema>, where <schema> stands for the specific schema it serves.
For example, the following query uses the built-in unifying DNS parser to query DNS events using the ResponseCodeName, SrcIpAddr, and TimeGenerated normalized fields:
_Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN')
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
The example uses filtering parameters, which improve ASIM performance. The same example without filtering parameters would look like this:
_Im_Dns
| where TimeGenerated > ago(1d)
| where ResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
The following table lists the available unifying parsers:
| Schema | Unifying parser |
|---|---|
| Alert Event | _Im_AlertEvent |
| Audit Event | _Im_AuditEvent |
| Authentication | _Im_Authentication |
| DHCP Event | _Im_DhcpEvent |
| Dns | _Im_Dns |
| File Event | _Im_FileEvent |
| Network Session | _Im_NetworkSession |
| Process Event | _Im_ProcessCreate _Im_ProcessTerminate |
| Registry Event | _Im_RegistryEvent |
| User Management | _Im_UserManagement |
| Web Session | _Im_WebSession |
Optimizing parsing using parameters
Using parsers might affect your query performance, primarily from filtering the results after parsing. For this reason, many parsers have optional filtering parameters, which enable you to filter before parsing and enhance query performance. With query optimization and prefiltering efforts, ASIM parsers often provide better performance when compared to not using normalization at all.
When invoking the parser, always use available filtering parameters by adding one or more named parameters to ensure optimal performance of the ASIM parsers.
Each schema has a standard set of filtering parameters documented in the relevant schema documentation. Filtering parameters are entirely optional.
For an example of using filtering parsers, see Unifying parsers.
The pack parameter
To ensure efficiency, parsers maintain only normalized fields. Fields that aren't normalized have less value when combined with other sources. Some parsers support the pack parameter. When the pack parameter is set to true, the parser will pack extra data into the AdditionalFields dynamic field.
The parsers list article notes parsers that support the pack parameter.
Related content
For more information, see: