ASIM parsers and analytics rules

Anand R Menon 291 Reputation points

Hi Team,

As far as I understand, ASIM parsers combine similar logs from different sources, for eg., "imAuthentication" combines Azure AD interactive and non-interactive Sign in logs, M365 Defender-based sign in logs etc. So when an incident is generated from an analytics rule(for eg., "Brute force attack against user credentials (Uses Authentication Normalization)"), how to understand what is the log source and what kind of sign in it is(without checking the Sentinel Logs)? When tested with this rule, the incident generated showed just the user accounts as entities.

Also, is it proposed to gradually phase out normal parsers and analytics rules based on them in favor of ASIM parsers and rules? Thank you.

Anand R Menon

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,030 questions
{count} votes

Accepted answer
  1. Givary-MSFT 29,681 Reputation points Microsoft Employee

    @Anand R Menon

    I have checked with my team about the above problem statement.

    This is indeed not apparent from the incident today. We are planning to add the Device Vendor and Device Product fields as custom fields to the incident.

    To that end, we have updated now this specific rule to display the Vendor and Product in custom fields: Azure-Sentinel/imAuthBruteForce.yaml at master · Azure/Azure-Sentinel - It would be available in a week or two in the product, and can be used as a guideline to update the rule manually now.

    As to the larger question: yes, we plan to move all relevant detections to ASIM.

    Let me know if you have any questions.

    If this answer was helpful to you, please consider "marking as answer" so that others in the community with similar questions will more easily find the resolution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful