История

Ofer Shezaf 9b8247c42e Rename product		2021-11-03 10:40:18 +02:00
..
ARM	Rename product	2021-11-03 10:40:18 +02:00
ProductParsers	now supporting new version of sysmon for Windows	2021-09-19 16:17:36 +03:00
README.md	Rename product	2021-11-03 10:40:18 +02:00
RegistryEventEmpty.yaml	adding EventOriginalType missing field	2021-08-15 19:17:31 +03:00
RegistryEventGeneric.yaml	updating ARM templates for WindowsEvent	2021-08-15 21:42:58 +03:00

README.md

Advanced SIEM Information Model (ASIM) Registry parsers

This template deploys all ASIM Registry parsers. The template is part of the Advanced SIEM Information Model (ASIM).

The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

Note: Please ensure that the subscription, resource group and location are the same as your current Microsoft Sentinel (Log Analytics) workspace to prevent duplicate workspaces from being created.

For more information, see:

This template deploys the following:

vimRegistryEmpty - Empty ASim Registry table
imRegistry - Registry Events from all normalized Registry events sources
vimRegistryEventsMicrosoft365D - Registry events from Microsoft 365 Defender for Endpoints
vimRegistryEventMicrosoftSysmon - Registry events from Sysmon (Events 12,13 and 14) collected using the Log Analytics Agent or the Azure Monitor Agent to the Event table.
vimRegistryEventMicrosoftSecurityEvents - Registry Events from Windows Events (Event 4657) collected using the Log Analytics Agent or the Azure Monitor Agent to the SecuirtyEvent table.
vimRegistryEventMicrosoftWindowsEvent - Registry Events from Windows Events (Event 4657) collected using the Azure Monitor Agent to the WindowsEvent table. Note that those are the same original events as Windows Security events, but collected to the WindowsEvent table, for example when collecting using Windows Event Forwarding.