Σημείωση
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να συνδεθείτε ή να αλλάξετε καταλόγους.
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να αλλάξετε καταλόγους.
This document provides a list of Advanced Security Information Model (ASIM) parsers. For an overview of ASIM parsers refer to the parsers overview. To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Alert Event parsers
| Source | Notes | Parser |
|---|---|---|
| Microsoft Defender XDR | Microsoft Defender XDR alert events (in the AlertEvidence table). |
_Im_AlertEvent_MicrosoftDefenderXDRVxx |
| SentinelOne Singularity | SentinelOne Singularity threat events (in the SentinelOne_CL table). |
_Im_AlertEvent_SentinelOneSingularityVxx |
Audit Event parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Audit Event Logs | Any event normalized at ingestion to the ASimAuditEventLogs table. |
_Im_AuditEvent_Native |
| Azure Activity | Azure Activity events (in the AzureActivity table) in the category Administrative. |
_Im_AuditEvent_AzureActivityVxx |
| Barracuda CEF | Barracuda events collected using CEF. | _Im_AuditEvent_BarracudaCEFVxx |
| Barracuda WAF | Barracuda WAF events. | _Im_AuditEvent_BarracudaWAFVxx |
| Cisco ISE | Cisco ISE events. | _Im_AuditEvent_CiscoISEVxx |
| Cisco Meraki | Cisco Meraki events collected using the API connector or Syslog. | _Im_AuditEvent_CiscoMerakiVxx |
| CrowdStrike Falcon | CrowdStrike Falcon Host events. | _Im_AuditEvent_CrowdStrikeFalconVxx |
| Illumio SaaS Core | Illumio SaaS Core events. | _Im_AuditEvent_IllumioSaaSCoreVxx |
| Infoblox BloxOne | Infoblox BloxOne events. | _Im_AuditEvent_InfobloxBloxOneVxx |
| Microsoft Exchange 365 | Exchange Administrative events collected using the Office 365 connector (in the OfficeActivity table). |
_Im_AuditEvent_MicrosoftExchangeAdmin365Vxx |
| Microsoft Windows Events | Windows Event 1102 collected using Azure Monitor Agent (using the SecurityEvent or WindowsEvent tables). |
_Im_AuditEvent_MicrosoftWindowsEventsVxx |
| SentinelOne | SentinelOne events. | _Im_AuditEvent_SentinelOneVxx |
| Vectra XDR | Vectra XDR audit events. | _Im_AuditEvent_VectraXDRAuditVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud events. | _Im_AuditEvent_VMwareCarbonBlackCloudVxx |
Authentication parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Authentication Logs | Any event normalized at ingestion to the ASimAuthenticationEventLogs table. |
_Im_Authentication_Native |
| AWS CloudTrail | AWS sign-ins, collected using the AWS CloudTrail connector. | _Im_Authentication_AWSCloudTrailVxx |
| Barracuda WAF | Barracuda WAF events. | _Im_Authentication_BarracudaWAFVxx |
| Cisco ASA | Cisco ASA events collected using CEF. | _Im_Authentication_CiscoASAVxx |
| Cisco ISE | Cisco ISE events. | _Im_Authentication_CiscoISEVxx |
| Cisco Meraki | Cisco Meraki events collected using the API connector or Syslog. | _Im_Authentication_CiscoMerakiVxx |
| CrowdStrike Falcon | CrowdStrike Falcon Host events. | _Im_Authentication_CrowdStrikeFalconVxx |
| Google Workspace | Google Workspace sign-ins. | _Im_Authentication_GoogleWorkspaceVxx |
| Illumio SaaS Core | Illumio SaaS Core events. | _Im_Authentication_IllumioSaaSCoreVxx |
| Microsoft Defender XDR | Microsoft Defender XDR for Endpoint sign-ins for Windows and Linux. | _Im_Authentication_M365DefenderVxx |
| Microsoft Entra ID | Microsoft Entra ID sign-ins, collected using the Microsoft Entra connector. Separate parsers for regular, Non-Interactive, Managed Identities, and Service Principal sign-ins. | _Im_Authentication_AADSigninLogsVxx_Im_Authentication_AADNonInteractiveVxx_Im_Authentication_AADManagedIdentityVxx_Im_Authentication_AADServicePrincipalSignInLogsVxx |
| Microsoft Windows Events | Windows sign-ins (Events 4624, 4625, 4634, 4647) collected using Azure Monitor Agent or the Log Analytics Agent to the SecurityEvent or WindowsEvent tables. |
_Im_Authentication_MicrosoftWindowsEventVxx |
| Okta | Okta authentication, collected using the Okta connector (V1 OSS and V2). | _Im_Authentication_OktaOSSVxx_Im_Authentication_OktaV2Vxx |
| Palo Alto Cortex Data Lake | Palo Alto Cortex Data Lake events. | _Im_Authentication_PaloAltoCortexDataLakeVxx |
| PostgreSQL | PostgreSQL sign-in logs. | _Im_Authentication_PostgreSQLVxx |
| Salesforce Service Cloud | Salesforce Service Cloud events. | _Im_Authentication_SalesforceSCVxx |
| SentinelOne | SentinelOne events. | _Im_Authentication_SentinelOneVxx |
| Linux Sshd | Linux sshd activity reported using Syslog. | _Im_Authentication_SshdVxx |
| Linux Su | Linux su activity reported using Syslog. | _Im_Authentication_SuVxx |
| Linux Sudo | Linux sudo activity reported using Syslog. | _Im_Authentication_SudoVxx |
| Vectra XDR | Vectra XDR audit events. | _Im_Authentication_VectraXDRAuditVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud events. | _Im_Authentication_VMwareCarbonBlackCloudVxx |
DHCP Event parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized DHCP Event Logs | Any event normalized at ingestion to the ASimDhcpEventLogs table. |
_Im_DhcpEvent_Native |
| Infoblox BloxOne | Infoblox BloxOne DHCP events. | _Im_DhcpEvent_InfobloxBloxOneVxx |
DNS parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized DNS Logs | Any event normalized at ingestion to the ASimDnsActivityLogs table. The DNS connector for the Azure Monitor Agent uses the ASimDnsActivityLogs table. |
_Im_Dns_Native |
| Azure Firewall | Azure Firewall DNS logs. | _Im_Dns_AzureFirewallVxx |
| Cisco Umbrella | Cisco Umbrella DNS logs. | _Im_Dns_CiscoUmbrellaVxx |
| Corelight Zeek | Corelight Zeek DNS logs. | _Im_Dns_CorelightZeekVxx |
| Fortinet FortiGate | Fortinet FortiGate DNS logs. | _Im_Dns_FortinetFortigateVxx |
| GCP DNS | Google Cloud Platform DNS logs. | _Im_Dns_GcpVxx |
| Infoblox BloxOne | Infoblox BloxOne DNS events. | _Im_Dns_InfobloxBloxOneVxx |
| Infoblox NIOS | Infoblox NIOS, BIND, and BlueCat DNS servers. The same parser supports multiple sources. | _Im_Dns_InfobloxNIOSVxx |
| Microsoft DNS Server | Collected using the DNS connector for the Log Analytics Agent (legacy). | _Im_Dns_MicrosoftOMSVxx |
| Microsoft DNS Server (NXlog) | Microsoft DNS Server collected using NXlog. | _Im_Dns_MicrosoftNXlogVxx |
| Microsoft Sysmon for Windows | Sysmon DNS events (Event 22) collected using Azure Monitor Agent or the Log Analytics Agent (legacy) to the Event or WindowsEvent tables. |
_Im_Dns_MicrosoftSysmonVxx |
| SentinelOne | SentinelOne DNS events. | _Im_Dns_SentinelOneVxx |
| Vectra AI | Vectra AI DNS events. | _Im_Dns_VectraAIVxx |
| Zscaler ZIA | Zscaler ZIA DNS logs. | _Im_Dns_ZscalerZIAVxx |
File Activity parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized File Event Logs | Any event normalized at ingestion to the ASimFileEventLogs table. |
_Im_FileEvent_Native |
| Azure Blob Storage | Azure Blob Storage file events. | _Im_FileEvent_AzureBlobStorageVxx |
| Azure File Storage | Azure File Storage events. | _Im_FileEvent_AzureFileStorageVxx |
| Azure Queue Storage | Azure Queue Storage events. | _Im_FileEvent_AzureQueueStorageVxx |
| Azure Table Storage | Azure Table Storage events. | _Im_FileEvent_AzureTableStorageVxx |
| Google Workspace | Google Workspace file events. | _Im_FileEvent_GoogleWorkspaceVxx |
| Linux Sysmon | Sysmon for Linux file created and deleted events (Events 11, 23). | _Im_FileEvent_LinuxSysmonFileCreatedVxx_Im_FileEvent_LinuxSysmonFileDeletedVxx |
| Microsoft Defender XDR | Microsoft Defender XDR for Endpoint file events. | _Im_FileEvent_Microsoft365DVxx |
| Microsoft Security Events | Windows file events (Event 4663) collected using the Security Events connector. | _Im_FileEvent_MicrosoftSecurityEventsVxx |
| Microsoft SharePoint | Microsoft Office 365 SharePoint and OneDrive events, collected using the Office Activity connector. | _Im_FileEvent_MicrosoftSharePointVxx |
| Microsoft Sysmon for Windows | Sysmon for Windows file events (Events 11, 23, 26) collected to the Event or WindowsEvent tables. |
_Im_FileEvent_MicrosoftSysmonVxx |
| Microsoft Windows Events | Windows file events (Event 4663) collected to the WindowsEvent table. |
_Im_FileEvent_MicrosoftWindowsEventsVxx |
| SentinelOne | SentinelOne file events. | _Im_FileEvent_SentinelOneVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud file events. | _Im_FileEvent_VMwareCarbonBlackCloudVxx |
Network Session parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Network Session Logs | Any event normalized at ingestion to the ASimNetworkSessionLogs table. The Firewall connector for the Azure Monitor Agent uses this table. |
_Im_NetworkSession_Native |
| AppGate SDP | IP connection logs collected using Syslog. | _Im_NetworkSession_AppGateSDPVxx |
| AWS VPC logs | Collected using the AWS S3 connector. | _Im_NetworkSession_AWSVPCVxx |
| Azure Firewall | Azure Firewall network logs. | _Im_NetworkSession_AzureFirewallVxx |
| Azure NSG | Azure Network Security Groups flow logs. | _Im_NetworkSession_AzureNSGVxx |
| Azure Monitor VMConnection | Collected as part of the Azure Monitor VM Insights solution. | _Im_NetworkSession_VMConnectionVxx |
| Barracuda CEF | Barracuda events collected using CEF. | _Im_NetworkSession_BarracudaCEFVxx |
| Barracuda WAF | Barracuda WAF events. | _Im_NetworkSession_BarracudaWAFVxx |
| Checkpoint Firewall | Checkpoint Firewall events collected using CEF. | _Im_NetworkSession_CheckPointFirewallVxx |
| Cisco ASA | Cisco ASA events collected using CEF. | _Im_NetworkSession_CiscoASAVxx |
| Cisco Firepower | Cisco Firepower events. | _Im_NetworkSession_CiscoFirepowerVxx |
| Cisco ISE | Cisco ISE events. | _Im_NetworkSession_CiscoISEVxx |
| Cisco Meraki | Cisco Meraki events collected using the API connector or Syslog. | _Im_NetworkSession_CiscoMerakiVxx |
| Corelight Zeek | Corelight Zeek network events. | _Im_NetworkSession_CorelightZeekVxx |
| CrowdStrike Falcon | CrowdStrike Falcon Host events. | _Im_NetworkSession_CrowdStrikeFalconVxx |
| ForcePoint Firewall | ForcePoint Firewall events. | _Im_NetworkSession_ForcePointFirewallVxx |
| Fortinet FortiGate | Fortinet FortiGate firewall events collected using Syslog. | _Im_NetworkSession_FortinetFortiGateVxx |
| Illumio SaaS Core | Illumio SaaS Core events. | _Im_NetworkSession_IllumioSaaSCoreVxx |
| Microsoft Defender for IoT | Microsoft Defender for IoT micro agent and sensor events. | _Im_NetworkSession_MD4IoTAgentVxx_Im_NetworkSession_MD4IoTSensorVxx |
| Microsoft Defender XDR | Microsoft Defender XDR for Endpoint network events. | _Im_NetworkSession_Microsoft365DefenderVxx |
| Microsoft Sysmon for Linux | Sysmon for Linux network events (Event 3). | _Im_NetworkSession_MicrosoftLinuxSysmonVxx |
| Microsoft Sysmon for Windows | Sysmon for Windows network events (Event 3) collected to the Event or WindowsEvent tables. |
_Im_NetworkSession_MicrosoftSysmonVxx |
| Microsoft Windows Firewall | Windows Firewall events (Events 5150-5159) collected using Azure Monitor Agent or the Log Analytics Agent. | _Im_NetworkSession_MicrosoftWindowsEventFirewallVxx |
| Microsoft Windows Security Events Firewall | Windows Firewall events collected via Security Events connector. | _Im_NetworkSession_MicrosoftSecurityEventFirewallVxx |
| NTA NetAnalytics | Network Traffic Analytics events. | _Im_NetworkSession_NTANetAnalyticsVxx |
| Palo Alto PanOS | Palo Alto PanOS traffic logs collected using CEF. | _Im_NetworkSession_PaloAltoCEFVxx |
| Palo Alto Cortex Data Lake | Palo Alto Cortex Data Lake events. | _Im_NetworkSession_PaloAltoCortexDataLakeVxx |
| SentinelOne | SentinelOne network events. | _Im_NetworkSession_SentinelOneVxx |
| SonicWall Firewall | SonicWall Firewall events. | _Im_NetworkSession_SonicWallFirewallVxx |
| Vectra AI | Vectra AI network events. Supports the pack parameter. | _Im_NetworkSession_VectraAIVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud network events. | _Im_NetworkSession_VMwareCarbonBlackCloudVxx |
| WatchGuard Fireware OS | WatchGuard Fireware OS events collected using Syslog. | _Im_NetworkSession_WatchGuardFirewareOSVxx |
| Zscaler ZIA | Zscaler ZIA firewall logs collected using CEF. | _Im_NetworkSession_ZscalerZIAVxx |
Process Event parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Process Event Logs | Any event normalized at ingestion to the ASimProcessEventLogs table. |
_Im_ProcessEvent_Native |
| Linux Sysmon | Sysmon for Linux process creation events (Event 1). | _Im_ProcessCreate_LinuxSysmonVxx |
| Microsoft Defender for IoT | Microsoft Defender for IoT process events. | _Im_ProcessEvent_MD4IoTVxx |
| Microsoft Defender XDR | Microsoft Defender XDR for Endpoint process events. | _Im_ProcessEvent_Microsoft365DVxx |
| Microsoft Security Events | Windows Security Events process creation and termination (Events 4688, 4689). | _Im_ProcessCreate_MicrosoftSecurityEventsVxx_Im_ProcessTerminate_MicrosoftSecurityEventsVxx |
| Microsoft Sysmon for Windows | Sysmon for Windows process events (Events 1, 5) collected to the Event or WindowsEvent tables. |
_Im_ProcessCreate_MicrosoftSysmonVxx_Im_ProcessTerminate_MicrosoftSysmonVxx |
| Microsoft Windows Events | Windows process events collected to the WindowsEvent table. |
_Im_ProcessCreate_MicrosoftWindowsEventsVxx_Im_ProcessTerminate_MicrosoftWindowsEventsVxx |
| SentinelOne | SentinelOne process events. | _Im_ProcessCreate_SentinelOneVxx |
| Trend Micro Vision One | Trend Micro Vision One process events. | _Im_ProcessCreate_TrendMicroVisionOneVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud process events. | _Im_ProcessCreate_VMwareCarbonBlackCloudVxx_Im_ProcessTerminate_VMwareCarbonBlackCloudVxx |
Registry Event parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Registry Event Logs | Any event normalized at ingestion to the ASimRegistryEventLogs table. |
_Im_RegistryEvent_Native |
| Microsoft Defender XDR | Microsoft Defender XDR for Endpoint registry events. | _Im_RegistryEvent_Microsoft365DVxx |
| Microsoft Security Events | Windows Security Events registry events (Events 4657, 4663). | _Im_RegistryEvent_MicrosoftSecurityEventVxx |
| Microsoft Sysmon for Windows | Sysmon for Windows registry events (Events 12, 13, 14) collected to the Event or WindowsEvent tables. |
_Im_RegistryEvent_MicrosoftSysmonVxx |
| Microsoft Windows Events | Windows registry events collected to the WindowsEvent table. |
_Im_RegistryEvent_MicrosoftWindowsEventVxx |
| SentinelOne | SentinelOne registry events. | _Im_RegistryEvent_SentinelOneVxx |
| Trend Micro Vision One | Trend Micro Vision One registry events. | _Im_RegistryEvent_TrendMicroVisionOneVxx |
| VMware Carbon Black Cloud | VMware Carbon Black Cloud registry events. | _Im_RegistryEvent_VMwareCarbonBlackCloudVxx |
User Management parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized User Management Logs | Any event normalized at ingestion to the ASimUserManagementLogs table. |
_Im_UserManagement_Native |
| Cisco ISE | Cisco ISE user management events. | _Im_UserManagement_CiscoISEVxx |
| Linux Authpriv | Linux authpriv user management events. | _Im_UserManagement_LinuxAuthprivVxx |
| Microsoft Security Events | Windows Security Events user management events. | _Im_UserManagement_MicrosoftSecurityEventVxx |
| Microsoft Windows Events | Windows user management events collected to the WindowsEvent table. |
_Im_UserManagement_MicrosoftWindowsEventVxx |
| SentinelOne | SentinelOne user management events. | _Im_UserManagement_SentinelOneVxx |
Web Session parsers
| Source | Notes | Parser |
|---|---|---|
| Normalized Web Session Logs | Any event normalized at ingestion to the ASimWebSessionLogs table. |
_Im_WebSession_Native |
| Apache HTTP Server | Apache HTTP Server logs. | _Im_WebSession_ApacheHTTPServerVxx |
| Azure Firewall | Azure Firewall web session logs. | _Im_WebSession_AzureFirewallVxx |
| Barracuda CEF | Barracuda events collected using CEF. | _Im_WebSession_BarracudaCEFVxx |
| Barracuda WAF | Barracuda WAF events. | _Im_WebSession_BarracudaWAFVxx |
| Cisco Firepower | Cisco Firepower web events. | _Im_WebSession_CiscoFirepowerVxx |
| Cisco Meraki | Cisco Meraki web events. | _Im_WebSession_CiscoMerakiVxx |
| Citrix NetScaler | Citrix NetScaler web events. | _Im_WebSession_CitrixNetScalerVxx |
| F5 ASM | F5 ASM web events. | _Im_WebSession_F5ASMVxx |
| Fortinet FortiGate | Fortinet FortiGate web session logs. | _Im_WebSession_FortinetFortiGateVxx |
| Internet Information Services (IIS) | IIS logs collected using Azure Monitor Agent or Log Analytics Agent. | _Im_WebSession_IISVxx |
| Palo Alto PanOS | Palo Alto PanOS threat logs collected using CEF. | _Im_WebSession_PaloAltoCEFVxx |
| Palo Alto Cortex Data Lake | Palo Alto Cortex Data Lake events. | _Im_WebSession_PaloAltoCortexDataLakeVxx |
| SonicWall Firewall | SonicWall Firewall web events. | _Im_WebSession_SonicWallFirewallVxx |
| Squid Proxy | Squid Proxy web logs. | _Im_WebSession_SquidProxyVxx |
| Vectra AI | Vectra AI web events. Supports the pack parameter. | _Im_WebSession_VectraAIVxx |
| Zscaler ZIA | Zscaler ZIA web logs collected using CEF. | _Im_WebSession_ZscalerZIAVxx |
Next steps
Learn more about ASIM parsers:
Learn more about ASIM: