79c43b62e7
* NetworkParserChange * [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. * Process Parser Changes * [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. * minor changes * [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. * minor fixes * [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --------- Co-authored-by: github-actions[bot] <> |
||
|---|---|---|
| .. | ||
| ARM | ||
| Parsers | ||
| test | ||
| README.md | ||
README.md
Advanced Security Information Model (ASIM) ProcessEvent parsers
This folder includes the the Advanced Security Information Model (ASIM) ProcessEvent parsers. The parsers are provided in YAML and in ARM template formats. The latter can be used to deploy the parsers, while the former is provided for educational purposes.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- Normalization and the Advanced Security Information Model (ASIM)
- Microsoft Sentinel ProcessEvent normalization schema reference
Parsers
This template deploys the following parsers:
-
Source agnostic parsers:
- imProcessEvent - Process events from all normalized process events sources
- imProcessCreate - Process creation events from all normalized process events sources
- imProcessTerminate - Process termination events from all normalized process events sources
- vimProcessEmpty - Empty ASim Process table
-
Source specific parsers:
- Microsoft 365 Defender for Endpoints - vimProcessEventMicrosoft365D
- Sysmon for Windows (Events 1 and 5) - vimProcessCreateMicrosoftSysmon, vimProcessTerminateMicrosoftSysmon
- Sysmon for Linux - vimProcessCreateLinuxSysmon, vimProcessTerminateLinuxSysmon
- Windows Security Events, collecting using the Log Analytics Agent or Azure Monitor Agent - vimProcessCreateMicrosoftSecurityEvents, vimProcessTerminateMicrosoftSecurityEvents
- Windows Events collecting using the Azure Monitor Agent - vimProcessCreateMicrosoftWindowsEvents, vimProcessCreationMicrosoftWindowsEvents. Note that those are the same original events as Windows Security events, but collected to the WindowsEvent table, for example when collecting using Windows Event Forwarding.
- Microsoft Defender for IoT - Endpoint (MD4IoT) - vimProcessEventMD4IoT
Analytics rules
By deploying these parsers, you enable the following out of the box Analytic Rules to work with ASIM:
- Probable AdFind Recon Tool Usage (Normalized Process Events)
- Base64 encoded Windows process command-lines (Normalized Process Events)
- Malware in the recycle bin (Normalized Process Events)
- NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
Hunting queries
By deploying these parsers, you enable the following out of the box Hunting Queries to work with ASIM:
- Cscript script daily summary breakdown (Normalized Process Events)
- Enumeration of users and groups (Normalized Process Events)
- Exchange PowerShell Snapin Added (Normalized Process Events)
- Host Exporting Mailbox and Removing Export (Normalized Process Events)
- Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
- Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
- Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
- Powercat Download (Normalized Process Events)
- PowerShell downloads (Normalized Process Events)
- Entropy for Processes for a given Host (Normalized Process Events)
- SolarWinds Inventory (Normalized Process Events)
- Suspicious enumeration using Adfind tool (Normalized Process Events)
- Windows System Shutdown/Reboot (Normalized Process Events)
- Certutil (LOLBins and LOLScripts, Normalized Process Events)
- Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
- Uncommon processes - bottom 5% (Normalized Process Events)
- Unicode Obfuscation in Command Line