Edit

Share via

Advanced Security Information Model (ASIM) security content (Public preview)

Normalized security content in Microsoft Sentinel includes analytics rules, hunting queries, and workbooks that work with unifying normalization parsers.

You can find normalized, built-in content in Microsoft Sentinel galleries and solutions, create your own normalized content, or modify existing content to use normalized data.

This article lists built-in Microsoft Sentinel content that has been configured to support the Advanced Security Information Model (ASIM). While links to the Microsoft Sentinel GitHub repository are provided as a reference, you can also find these rules in the Microsoft Sentinel Analytics rule gallery. Use the linked GitHub pages to copy any relevant hunting queries.

To understand how normalized content fits within the ASIM architecture, refer to the ASIM architecture diagram.

Tip

Also watch the Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content or review the slides. For more information, see Next steps.

Important

ASIM is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Authentication security content

The following built-in authentication content is supported for ASIM normalization.

Analytics rules

File Activity security content

The following built-in file activity content is supported for ASIM normalization.

Analytics Rules

Registry activity security content

The following built-in registry activity content is supported for ASIM normalization.

Analytics rules

Hunting queries

DNS query security content

The following built-in DNS query content is supported for ASIM normalization.

Solutions Analytics rules
DNS Essentials
Log4j Vulnerability Detection
Legacy IOC Based Threat Detection		 (Preview) TI map Domain entity to DNS Events (ASIM DNS Schema)
(Preview) TI map IP entity to DNS Events (ASIM DNS Schema)
Potential DGA detected (ASimDNS)
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
DNS events related to mining pools (ASIM DNS Schema)
DNS events related to ToR proxies (ASIM DNS Schema)
Known Forest Blizzard group domains - July 2019

Network session security content

The following built-in network session related content is supported for ASIM normalization.

Solutions Analytics rules Hunting queries
Network Session Essentials
Log4j Vulnerability Detection
Legacy IOC Based Threat Detection		 Log4j vulnerability exploit aka Log4Shell IP IOC
Excessive number of failed connections from a single source (ASIM Network Session schema)
Potential beaconing activity (ASIM Network Session schema)
(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)
Port scan detected (ASIM Network Session schema)
Known Forest Blizzard group domains - July 2019		 Connection from external IP to OMI related Ports

Process activity security content

The following built-in process activity content is supported for ASIM normalization.

Solutions Analytics rules Hunting queries
Endpoint Threat Protection Essentials
Legacy IOC Based Threat Detection		 Probable AdFind Recon Tool Usage (Normalized Process Events)
Base64 encoded Windows process command-lines (Normalized Process Events)
Malware in the recycle bin (Normalized Process Events)
Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
SUNBURST suspicious SolarWinds child processes (Normalized Process Events)		 Cscript script daily summary breakdown (Normalized Process Events)
Enumeration of users and groups (Normalized Process Events)
Exchange PowerShell Snapin Added (Normalized Process Events)
Host Exporting Mailbox and Removing Export (Normalized Process Events)
Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
Powercat Download (Normalized Process Events)
PowerShell downloads (Normalized Process Events)
Entropy for Processes for a given Host (Normalized Process Events)
SolarWinds Inventory (Normalized Process Events)
Suspicious enumeration using Adfind tool (Normalized Process Events)
Windows System Shutdown/Reboot (Normalized Process Events)
Certutil (LOLBins and LOLScripts, Normalized Process Events)
Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
Uncommon processes - bottom 5% (Normalized Process Events)
Unicode Obfuscation in Command Line

Web session security content

The following built-in web session related content is supported for ASIM normalization.

Solutions Analytics rules
Log4j Vulnerability Detection
Threat Intelligence		 (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)
(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Network Session schema)
A client made a web request to a potentially harmful file (ASIM Web Session schema)
A host is potentially running a crypto miner (ASIM Web Session schema)
A host is potentially running a hacking tool (ASIM Web Session schema)
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
Discord CDN Risky File Download (ASIM Web Session Schema)
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
User agent search for Log4j exploitation attempt

Next steps

For more information, see: