What are the difference between the ASim and vim files in ASIM parsers?

Rushit Ajudiya 146 Reputation points


I am developing an ASIM parser and following the steps from https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#custom-parser-development-process and in that steps there are two parsers a filtering parser and a parameter-less parser in step 4.

so after developing these two parsers, there are two types of files in the https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimAuditEvent/Parsers one is ASim and another is vim so can we say that the ASim file contains a Parameter-less Parser in YAML format and vim file contains Filtering Parser in YAML format?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee

    @Rushit Ajudiya

    Thank you for your post!

    I understand that you're developing an ASIM Parser, and within step 4 it mentions the need to develop a Filtering Parser and a Parameter-less Parser. From the GitHub Repo that you shared, when looking at the ASim and vim files - I would agree that it's safe to say the ASim files and imAuditEvent file contains the Parameter-less Parser in YAML format, while the vim files (excluding vimAuditEventEmpty file) contain the Filtering Parser.

    Azure Sentinel Parsers GitHub Repo:User's image

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    Additional Links

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 additional answer

Sort by: Most helpful
  1. Bill Clarkson-Antill 5 Reputation points MVP

    (VIM) Visibility, Insights, and Mitigation - VIM parsers are used for collecting data from various sources and transforming them into a format that can be analyzed by Sentinel. They typically extract key fields and attributes from raw logs and convert them into a standardized format that can be ingested by Sentinel. VIM parsers are typically used for ingesting data from on-premises sources and are configured on a per-data source basis.