Which ASIM pasrer schema is suitable to map alerts data

Nirali Shah 146 Reputation points
2023-04-18T05:51:51.9066667+00:00

We have one data source which have alerts related data. We want to create a ASIM parser for that alerts data. We have tried to map alerts data with available ASIM parser schemas but we are unable to find exact ASIM parser schema which is suitable to map alerts data. Can you please help us to identify the best suitable ASIM parser schema to map our alerts related data?

Here I'm providing you some of the fields of alert data schema for your reference.

{
  "index": "",//AlertId
  "avilableRelatedAlerts": "",
  "_embedded": {
        "labels": [],// Cyber related metadata like IP, hash, urls, malwares, threats etc.
  },
  "categories": [{}],
  "timestamp": "",
  "alertType": "",
  "companies": "",
  "headline": "",// summary of alert
  "location": "",
  "latitude": "",
  "longitude": "",
}
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,003 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 5,876 Reputation points MVP
    2023-04-18T06:53:05.9466667+00:00

    You may have already looked, but the "Develop ASIM parser" instructions are quite good: https://learn.microsoft.com/EN-US/AZURE/sentinel/normalization-develop-parsers I'd use the above, and also look at other examples: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers that start with "ASim.." to get a close match with the schema you have. Then create your own Parser.

    1 person found this answer helpful.