What are the difference between the filtering parser and parameter-less parser in ASIM parsers?

Rushit Ajudiya 146 Reputation points
2023-03-13T10:12:48.6333333+00:00

Hello,

I am developing an ASIM parser and following the steps from https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#custom-parser-development-process and in that steps there are two parsers a filtering parser and a parameter-less parser in step 4. so what is the difference between this two parsers?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 5,711 Reputation points MVP
    2023-03-13T12:41:00.2+00:00

    The parser with the parameters I find most useful, as you only parse the data based on the filters supplied, whereas the parameter-less one parsers everything (so is often much slower)!
    The two should be identical AFAIK. If this helps please "Accept"

  2. Clive Watson 5,711 Reputation points MVP
    2023-03-15T11:18:18.71+00:00

    @Clive Watson is there any update regarding this?

    What else do you need?

    There are two parsers "ASim_nnnnn" which doesnt need a parameter (I selected DNS as one possible example)
    User's image

    and '_Im**_**nnnnnn' which accepts parameters, to aid filtering and performance

    User's image

    There are lots of good docs on ASIM:

    https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#optimizing-parsing-using-parameters

    https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers