Thank you for your post!
I understand that you're developing an ASIM Parser, and within step 4 it mentions the need to develop a Filtering Parser and a Parameter-less Parser. From the GitHub Repo that you shared, when looking at the ASim
and vim
files - I would agree that it's safe to say the ASim
files and imAuditEvent
file contains the Parameter-less Parser in YAML format, while the vim
files (excluding vimAuditEventEmpty
file) contain the Filtering Parser.
Azure Sentinel Parsers GitHub Repo:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Additional Links
- List of Microsoft Sentinel ASIM parsers (Public preview)
- ASIM Audit Events normalization schema reference (Public preview)
- ASIM known issues
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.