Muistiinpano
Tämän sivun käyttö edellyttää valtuutusta. Voit yrittää kirjautua sisään tai vaihtaa hakemistoa.
Tämän sivun käyttö edellyttää valtuutusta. Voit yrittää vaihtaa hakemistoa.
In Microsoft Sentinel, parsing and normalizing happen at query time. Parsers are built as KQL user-defined functions that transform data in existing tables, such as CommonSecurityLog, custom logs tables, or Syslog, into the normalized schema.
Users use Advanced Security Information Model (ASIM) parsers instead of table names in their queries to view data in a normalized format, and to include all data relevant to the schema in your query.
To understand how parsers fit within the ASIM architecture, refer to the ASIM architecture diagram.
Built-in ASIM parsers and workspace-deployed parsers
ASIM parsers are built in and available out-of-the-box in every Microsoft Sentinel workspace.
ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template. Workspace deployed parsers are used for ASIM parser development and management. Workspace deployed parsers are functionally equivalent, but have slightly different naming conventions, allowing both parser sets to coexist with built-in parsers in the same Microsoft Sentinel workspace. Read more about workspace deployed parsers to deploy, use and manage them.
It is recommended to use built-in parsers when developing ASIM content. Workspace deployed parsers are typically used during the parser development process or to provide modified versions of built-in parsers as described in managing parsers
Parser hierarchy and naming
ASIM includes two levels of parsers: unifying parser and source-specific parsers. The user usually uses the unifying parser for the relevant schema, ensuring all data relevant to the schema is queried. The unifying parser in turn calls source-specific parsers to perform the actual parsing and normalization, which is specific for each source.
The unifying parser name is _Im_<schema> where <schema> stands for the specific schema it serves. Source-specific parsers can also be used independently. Their naming convention is _Im_<schema>_<source>V<version>. You can find a list of source-specific parsers in the ASIM parsers list.
Note
A corresponding set of parsers that use _ASim_<schema>. These parsers do not support filtering parameters and are provided for backward compatibility.
Tip
The parser hierarchy adds a layer to support customization. For more information, see Managing ASIM parsers.
Next steps
Learn more about ASIM parsers:
For more about ASIM, in general, see: